A cross-chain exploit has hit Hyperbridge, with attackers minting 1 billion unauthorized bridged DOT on Ethereum after compromising a core contract in the protocol’s message flow.
Hyperbridge, an interoperability protocol built on Polkadot, was targeted through its gateway contract, according to onchain analysts and security researchers. The flaw reportedly allowed the attacker to forge messages, seize administrative control of the bridged token contract on Ethereum and mint a massive quantity of fake DOT.
That is the part that matters most. In cross-chain systems, message verification is the whole game. If an attacker can forge those messages, they do not just bypass a guardrail. They effectively impersonate the bridge itself.
In this case, the forged messages appear to have handed the attacker control over the Ethereum-side token contract, which was then used to mint 1 billion bridged DOT. The scale of the mint was obviously absurd on paper, but the market impact depended less on the nominal amount and more on how quickly the attacker could offload tokens before defenses kicked in.
Blockchain security firm CertiK said the attacker quickly sold part of the unauthorized tokens and walked away with around $237,000 in profit. That gap between the 1 billion minted and the relatively modest realized gain is telling. It suggests liquidity constraints, rapid detection or both.
Still, the exploit exposes a familiar weakness in bridge design. These systems often concentrate risk in a small number of contracts responsible for message validation and token issuance. When one of those contracts fails, the damage can move across chains very quickly.
For Hyperbridge, the immediate issue is containment and trust. The longer-term problem is harder. Once a bridge has been shown vulnerable at the message layer, users do not only question the affected token. They start questioning the assumptions behind the whole interoperability model the protocol depends on.
