Overview
- The Hyperbridge gateway on Ethereum, exploited Monday, accepted a forged cross-chain message that reassigned admin control of the bridged DOT contract.
- With admin rights, the attacker executed a mint of 1 billion bridged DOT, then routed the tokens through Odos and a Uniswap V4 DOT–ETH pool to pull about 108.2 ETH worth roughly $237,000.
- The damage was confined to the ERC‑20 representation of DOT on Ethereum as Polkadot’s native chain and real DOT supply were unaffected, and Hyperbridge paused its app while security firms investigated.
- Thin liquidity in the bridged DOT pools meant the massive dump crashed the token’s DEX price and capped the payout, while native DOT saw only a modest slide as traders processed the news.
- The incident highlights a design risk in many bridges where destination‑chain token contracts depend on strict proof validation, since one failed check can grant unlimited minting power.