Polkadot bridge exploit mints 1B DOT tokens on Ethereum

A critical security flaw was discovered on April 13, 2026 in the Hyperbridge cross-chain gateway connecting Polkadot and Ethereum. According to security firm CertiK, an attacker exploited a replay vulnerability in the Merkle Mountain Range proof verification, enabling unauthorized administrative access to the bridged DOT contract on Ethereum. The attacker minted one billion fake DOT tokens and executed a single swap transaction, converting the entire supply into approximately 108.2 ETH (about $237,000), before liquidity constraints prevented additional sales. The bridged DOT price collapsed from around $1.22 to fractions of a cent in impacted pools, driving a 5% drop in the price of DOT on major exchanges before partial recovery.

On-chain data indicates the exploit occurred at approximately 05:05 UTC, when forged state-commitment proofs bypassed authentication checks in the tokengateway.handleChangeAdmin function. This flaw allowed the attacker to assume the admin role of the ERC-20 wrapped DOT contract on Ethereum and generate an unlimited token supply. Despite the scale of minting, shallow liquidity in decentralized exchanges limited the attacker’s profit to under $250,000. Polkadot’s main relay chain remained secure, and native DOT tokens were not affected by the breach. Developers and auditors are now prioritizing patches to enforce strict admin-role checks and resolve the replay vulnerability.

Leading on-chain analysis platforms such as CoinGecko recorded DOT’s price moving from $1.23 to as low as $1.17 in the minutes following the exploit before stabilizing around $1.19. Hyperbridge developers have pledged to collaborate with CertiK and blockchain security experts to conduct a full post-mortem, patch the gateway contract, and implement additional governance safeguards. The Polkadot community is also reviewing recent supply-cap governance measures, underscoring the need for comprehensive security audits in cross-chain solutions that rely on cryptographic proofs. This incident highlights the persistent risk of bridge vulnerabilities and the importance of rigorous formal verification in smart contract development.