Security firm CertiK has confirmed a significant exploit targeting the Hyperbridge gateway contract. The attack enabled a malicious actor to forge a cross-chain message, gain unauthorized administrative control over the Polkadot token contract on Ethereum, mint one billion tokens, and extract approximately $237,000 in proceeds. The breach highlights ongoing vulnerabilities in cross-chain infrastructure, even within projects designed to improve interoperability and security between Polkadot and Ethereum ecosystems. Importantly, the native Polkadot blockchain and its parachains were not affected, as the incident was isolated to the Ethereum-side token contract.
Gateway Contract Breached
The attacker exploited a validation weakness in Hyperbridge’s gateway by submitting a forged message that bypassed standard security checks. This allowed direct invocation of the changeAdmin function on the Polkadot token contract deployed on Ethereum, effectively transferring administrative privileges without authorization. After gaining control, the attacker minted one billion DOT tokens in a single operation. The newly created tokens were quickly swapped on a decentralized exchange for 108.2 ETH, resulting in a profit of approximately $237,000.
This rapid sequence exposed weaknesses in the gateway’s message verification process. Hyperbridge had been positioned as a more secure alternative to traditional bridges, leveraging Polkadot’s validator-based economic security. However, the incident demonstrates that flaws in gateway implementation can still create exploitable attack surfaces.
Financial Fallout and Market Response
Despite the massive token mint, thin liquidity in decentralized exchange pools limited the attacker’s profit to around $237,000. The sudden influx of tokens caused the price to collapse almost instantly, preventing larger gains. CertiK issued an immediate alert urging the community to remain vigilant. In response, major South Korean exchanges Upbit and Bithumb temporarily suspended DOT deposits and withdrawals to protect users and allow further investigation.
The breach has reignited concerns about risks in bridge and gateway architectures, particularly where admin privileges on token contracts remain high-value targets. Similar vulnerabilities have surfaced in recent incidents, such as the SubQuery staking contract exploit, reinforcing the need for stronger safeguards across DeFi protocols. Industry observers note that such incidents continue to weaken confidence in bridged assets, even as protocols evolve toward decentralized verification methods.
Broader Implications for Cross-Chain Security
This event adds to a growing pattern of attacks targeting interoperability layers in 2026, where forged messages and privilege escalation are increasingly common. Hyperbridge, designed to reduce reliance on centralized intermediaries through cryptographic proofs and Polkadot’s shared security model, is now under scrutiny for its gateway implementation.
The incident also highlights how containment was driven more by market conditions than protocol defenses. This underscores the need for stronger liquidity monitoring, stricter administrative controls, and multi-layered validation mechanisms in cross-chain systems. Developers and users are reminded that even if core blockchain consensus remains secure, peripheral contracts handling messaging and token operations require equally robust protection.
Polkadot Price History
Polkadot (DOT) reached its peak phase in 2021, when the token traded in the $40 to $50 range and touched an all-time high close to $55, with its market capitalization climbing to roughly $40 to $50 billion during that bull cycle. By 2026, DOT is trading between $1.5 and $2 per token, reflecting a steep decline from its peak. Its market capitalization has similarly dropped to around $2.5 to $3.5 billion. This represents a fall of over 90 percent in both price and valuation since 2021, largely driven by the broader crypto bear market and reduced investor demand.
Key Incident Summary
- Forged message used to bypass Hyperbridge gateway validation and seize admin rights on Ethereum-based DOT contract
- One billion DOT tokens minted without authorization
- Tokens swapped for 108.2 ETH, yielding about $237,000 due to limited liquidity
- Incident confined to Ethereum-side contract; Polkadot network unaffected
- Exchanges suspended DOT transfers as a precaution
