Key Takeaways:
- A hacker used a replay flaw to mint 1 billion fake Polkadot tokens via the Hyperbridge gateway.
- The price of DOT dropped 6% to $1.16 before recovering, while the hacker netted $237,000 in ether.
- Hyperbridge developers are now expected to deploy patches to secure administrative smart contract functions.
Liquidity Bottleneck Limits Losses
On April 13, blockchain security firm Certik alerted the cryptocurrency community to an exploit involving the Hyperbridge gateway, where a malicious actor minted 1 billion unauthorized Polkadot tokens on the Ethereum network. Following the incident, the price of DOT briefly plunged from $1.23 to $1.16, a decline of nearly 6%. However, at the time of writing, the token had erased some of those losses, recovering to $1.19.
According to onchain data and security reports, the attacker exploited a vulnerability within the Hyperbridge gateway smart contract. By using a fabricated message to gain administrative privileges over the bridged DOT contract on Ethereum, the perpetrator triggered a single transaction that generated the 1 billion tokens.
Despite the large number of tokens created, the attacker was unable to cash out at the market value because the bridged version of DOT on Ethereum had shallow liquidity.
Analysis from Lookonchain confirms the hacker liquidated the entire 1 billion-token haul in a single swap. The trade yielded approximately 108.2 ether, valued at roughly $237,000 at the time of the transaction. Had the bridged asset been more widely traded, the financial impact could have been substantially higher.
Security experts were quick to clarify that the breach was localized to the Hyperbridge gateway on Ethereum. Polkadot’s core relay chain and the authentic DOT tokens residing on the Polkadot network remain secure and were not impacted by the incident.
In its initial post mortem, Certik said the exploit stemmed from a replay vulnerability in Merkle Mountain Range’s calculateroot function. This flaw meant that proofs were not properly bound to requests, allowing attackers to reuse old state commitments. Downstream, the tokengateway.handlechangeadmin function failed to enforce strict checks, letting attackers arbitrarily input request data.
As a result, malicious code propagated unchecked through the system, ultimately enabling the attacker to change the admin of the Polkadot token. As Certik noted:
“The attacker submitted ‘proof’ value is copied from the ‘_stateCommitments’ in a previous txn… thus making the replay possible.”
Hyperbridge has yet to release a full post-mortem on the specific flaw in the gateway smart contract, but developers are expected to implement patches to prevent similar exploits in the future.
