Overview
- CertiK and other trackers said the attacker on Monday sent a forged cross-chain message that slipped past a check meant to verify Polkadot messages, took over the bridged DOT contract on Ethereum, minted 1 billion tokens, and sold them for about 108.2 ETH (~$237,000).
- The damage was limited to the ERC-20 version of DOT on Ethereum, while the native Polkadot network and its 2.1 billion supply cap stayed intact.
- Thin liquidity in the DOT-ETH pools on Ethereum capped the attacker’s haul and drove the bridged token’s price in those pools toward zero within an hour.
- Following Monday’s breach, Hyperbridge paused activity and Upbit halted DOT deposits and withdrawals as investigators tracked the funds.
- The incident underscores a wider 2026 pattern in which a single failed bridge validation can grant unlimited minting on destination chains because bridge contracts often hold administrator rights.