- Hyperbridge suffers a code exploit.
- The hacker tricked the protocol into minting one billion of Polkadot's DOT token.
- They only made off with $237,000, however.
Hyperbridge, a popular crypto bridge, has been left reeling after a hacker used a code bug to create unbacked crypto tokens.
The hacker tricked the bridge into creating one billion of Polkadot’s DOT token on the Ethereum blockchain, multiple security experts reported on Monday. Although the haul had a paper value of some $1.2 billion, a lack of liquidity meant the hacker sold the tokens through decentralised exchange Uniswap for just over $237,000 worth of Ether, onchain records show.
Seun Lanlege, founder of Polytope Labs, the firm behind Hyperbridge, said the protocol has been paused while his team works to patch the bug.
A spokesperson for Parity Technologies, a Polkadot developer, told DL News that based on the information currently available, the issue does not indicate any vulnerability in Polkadot’s protocol, consensus, or audited core code.
Last year, hackers swiped over $649 million through code exploits, according to a report from Slowmist, a blockchain security firm.
Even battle-tested protocols like Balancer, whose code had been live on the Ethereum blockchain since 2021, were not immune. It lost $128 million in November after a hacker exploited a code bug.
In recent months, DeFi developers fear hackers are increasingly using artificial intelligence to find DeFi protocol vulnerabilities and exploit them.
Most vulnerable DeFi protocols
Hyperbridge was created by Lanlege and co-founder David Salami through Polytope Labs, a Lagos-based blockchain research company started in 2023.
The protocol lets users send assets between various unconnected blockchains, such as Polkadot and Ethereum. Hyperbridge launched on Polkadot in November 2024.
The root cause of the incident appears to be a forgery of the messages the bridge uses to ensure users can only withdraw tokens equivalent to the amount they deposit, BlockSec, a crypto security firm, said on X.
The hacker, BlockSec said, found a way to fake these messages. This allowed them to trick the protocol into creating one billion DOT tokens without depositing the same amount into the bridge.
At one point, crypto bridges were viewed as some of the most vulnerable DeFi protocols.
In 2022, a hacker used a bug in Wormhole, a crypto bridge that connected Solana to several other blockchains, to steal some $322 million. Like the Hyperbridge attack, the hacker tricked the bridge into letting them create fake tokens.
A month later, North Korean hackers stole some $625 million from a crypto bridge connecting the Ronin blockchain to Ethereum. This time, the theft resulted from the hackers gaining access to the password-like private keys that controlled the bridge.
While attacks against crypto bridges have become less common in recent years, many of the same design choices that make them vulnerable still remain.
Polkadot's DOT token has fallen around 5% over the post 24 hours.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
