Author: Zhou, ChainCatcher
According to CertiK's analysis, the attacker submitted a carefully crafted cross-chain request to the HandlerV1 contract on the Ethereum side via Hyperbridge's ISMP protocol, and paired it with a real MMR proof that had been historically accepted by the system, successfully bypassing the verification mechanism.
BlockSec Phalcon subsequently issued a technical alert, characterizing this vulnerability as an MMR proof replay vulnerability. According to their analysis, the root cause of the vulnerability lies in the fact that the replay protection of the HandlerV1 contract only verifies whether the hash of a request has been used before, but the proof verification process did not bind the submitted request payload to the proof being verified.
This logical flaw allowed the attacker to replay a historically valid proof and pair it with a newly constructed malicious request, thereby executing the ChangeAssetAdmin operation via the TokenGateway.onAccept() path, transferring the admin and minting permissions of the wrapped DOT contract on Ethereum (address: 0x8d...8F90b8) to an address controlled by the attacker.
On-chain data shows that after obtaining minting permissions, the attacker minted 1 billion wrapped DOT tokens, a quantity approximately 2805 times the reported circulating supply of about 356,000 tokens on Ethereum at the time.
Subsequently, the attacker exchanged the entire amount for approximately 108.2 ETH via Odos Router and Uniswap V4 liquidity pools, and transferred it to the attacker's external account, profiting about $237,000 at the time, with the gas cost for the entire attack being only about $0.74.
BlockSec Phalcon also mentioned that a previous attack using the same method had occurred, targeting MANTA and CERE tokens, resulting in a loss of about $12,000. The total combined loss from both attacks is approximately $242,000.
Following the incident, major South Korean exchanges Upbit and Bithumb announced the suspension of deposit and withdrawal services for DOT and the AssetHub Polkadot network to prevent potential fake deposit risks.
Polkadot officials stated that this vulnerability only affects DOT bridged to Ethereum via Hyperbridge, and does not affect DOT assets within the Polkadot ecosystem, nor DOT transferred via other bridges. Polkadot and its parachains, as well as native DOT, remain secure and unaffected. Hyperbridge has currently been suspended to investigate the issue.
It is worth mentioning that despite the minting scale reaching 1 billion tokens, the actual loss is far lower than the theoretical figure.Due to the extremely limited on-chain liquidity of wrapped DOT on Ethereum, the concentrated sell-off of 1 billion tokens instantly crashed the price of wrapped DOT from $1.22 to $0.00012831, a drop of 99.98%, rendering the vast majority of tokens unable to be effectively liquidated.
According to CoinMarketCap data, the price of native DOT tokens was also briefly dragged down by market sentiment, falling nearly 5%.
Users on X bluntly stated, who would have thought that DOT, once a cross-chain myth alongside Ethereum, would引爆 social media in this way. Cross-chain bridges have once again become the "Achilles' heel" of the crypto world. The once-deserted quiet has now turned into a scene of devastation and sighing. When 1 billion DOT appeared out of thin air, all technical indicators became worthless.
Other users jokingly remarked that low liquidity "saved Polkadot" in this incident by意外, limiting the actual loss to about $237,000.
However, while the low liquidity of bridged assets limited the hacker's profit, it exposed the potential fragility of the cross-chain interoperability layer.
It is reported that Hyperbridge, developed by Polytope Labs, is a cross-chain interoperability project within the Polkadot ecosystem, long positioning itself as trust-minimized cross-chain infrastructure with its core security mechanism relying on cryptographic proofs instead of multi-signature committees. The project had previously emphasized its resistance to common bridge attacks.
<极p>
But this incident perhaps indicates that the integrity of the cryptographic proof mechanism itself is not sufficient to guarantee security; the specific implementation logic of the Gateway contract on the Ethereum side also constitutes an attack surface.
From a more macro perspective, this incident is a microcosm of the持续严峻 DeFi security landscape in 2026. Since the beginning of the year, several major attacks have occurred, including Venus generating $2.15 million in bad debt due to price manipulation, Resolve over-minting 80 million USR, and Drift losing over $285 million in assets. The attack methods varied and involved diverse areas.
Taking over minting rights for无限增发 is not a new attack模式. However, Hyperbridge's损失 was意外压低 due to its extremely shallow liquidity.
According to CertiK data, March alone recorded 46 security incidents, with total losses of approximately $39.8 million, the highest monthly record since November 2024. CertiK also pointed out that the increased frequency of code vulnerability exploits may be related to the rise of AI-assisted vulnerability mining tools.
The rise in attack frequency is also pushing the industry to重新审视 the boundaries of security and regulation. Circle's Chief Strategy Officer Dante Disparte previously, in response to the Drift Protocol theft, called for protocols, wallets, exchanges, and stablecoin issuers to treat security and accountability as a shared obligation. He suggested that DeFi protocols could develop on-chain technical protection measures参考 traditional market circuit breakers, and promote relevant legislation to enshrine property rights and financial privacy protection standards into law before the next major incident occurs.
