Key Takeaways
- A hacker successfully minted 1 billion bridged Polkadot (DOT) tokens on Ethereum by manipulating a Merkle tree verifier.
- Due to shallow liquidity, the attacker only realized roughly $237,000 in gains, while native DOT remains unaffected.
- The Hyperbridge exploit follows a similar incident at Aethir and a $130,000 vulnerability on the SubQuery Network.
Blockchain bridges remain the Achilles’ heel of the decentralized world, as evidenced by the recent $237,000 exploit of Hyperbridge. In a single, calculated transaction, an attacker managed to mint 1 billion bridged Polkadot (DOT) tokens on the Ethereum network. While the “1 billion” figure sounds catastrophic, the actual profit was capped by the liquidity available in the bridged pool.
The attacker made off with 108.2 Ether, but luckily, the rest of the Polkadot ecosystem dodged a bullet. It’s a reality check for all of us—even when a protocol claims ‘full node security,’ a clever forged message attack can still find a way through. No layer is truly bulletproof when someone is determined enough.
Hyperbridge pauses operations after exploit
In the immediate aftermath of the detection, Hyperbridge administrators moved to halt all operations. The team’s initial diagnosis points toward a malicious proof that effectively “tricked” the protocol’s Merkle tree verifier.
Specifically, security researchers at Blocksec Falcon identified a likely vulnerability in the Merkle Mountain Range (MMR) proof-to-request binding. This allowed the attacker to effectively forge an administrative message, granting them the power to change the Polkadot token contract’s ownership on Ethereum.
While native DOT holders saw a brief price dip to $1.16, the market stabilized quickly as it became clear the core Polkadot relay chain was never at risk.
Hackers exploit SubQuery network for $130,000
The Hyperbridge incident wasn’t the only security flare-up over the weekend. The SubQuery Network also fell victim to an exploit totaling $130,000, highlighting a persistent issue with legacy code. A vulnerability in access control data—written over two years ago—allowed an attacker to redirect staking rewards to their own contract.
Despite a significant year-over-year decrease in DeFi theft—dropping from over $1.5 billion in Q1 2025 to roughly $168 million in Q1 2026—the frequency of these “minor” exploits suggests that hackers are becoming more surgical. As protocols continue to battle for cross-chain dominance, the focus is shifting from throughput to the fundamental integrity of Merkle proofs and admin access controls.
Final Thoughts
While the financial loss in the Hyperbridge case was relatively small, the technical implications are significant. It proves that “proof-based” systems are only as strong as their verifier’s ability to distinguish between legitimate and forged messages.
Frequently Asked Questions
Was native Polkadot (DOT) stolen?
No, the exploit only affected bridged DOT on the Ethereum network; native DOT remains secure.
Why didn’t the hacker get more money?
The limited liquidity in the specific bridged DOT pool prevented the hacker from cashing out the full 1 billion tokens.
Is Hyperbridge still active?
Operations are currently paused while the team implements a mandatory security upgrade to fix the proof vulnerability.
