1 billion DOTs were minted out of thin air, but the hacker only made 230,000 dollars

Author: Zhou, ChainCatcher

On April 13th at 10 AM Beijing time, the on-chain monitoring platform issued alerts: there was an abnormal issuance of bridged assets on the Ethereum network from Polkadot.
According to analysis by CertiK, the attacker submitted a carefully crafted cross-chain request to the HandlerV1 contract on the Ethereum side through the ISMP protocol of Hyperbridge, along with a historically accepted real MMR proof, successfully bypassing the verification mechanism.

BlockSec Phalcon subsequently released a technical alert, classifying this vulnerability as an MMR proof replay vulnerability. According to their analysis, the root of the vulnerability lies in the fact that the replay protection of the HandlerV1 contract only verifies whether the hash of a certain request has been used before, but the proof verification process does not bind the submitted request payload to the verified proof.

This logical gap allowed the attacker to replay a historically valid proof and pair it with a newly constructed malicious request, thus executing the ChangeAssetAdmin operation through the TokenGateway.onAccept() path, transferring the admin and minting rights of the wrapped DOT contract on Ethereum (address: 0x8d...8F90b8) to an address controlled by the attacker.

According to on-chain data, after obtaining minting rights, the attacker minted 1 billion bridged DOT, which was approximately 2805 times the reported circulating supply of about 356,000 of that token on Ethereum at the time.

Subsequently, the attacker exchanged all chips for about 108.2 ETH through the Odos Router and Uniswap V4 liquidity pool, transferring it to the attacker's external account, realizing a profit of about $237,000 based on the price at that time, with the entire attack consuming only about $0.74 in gas fees.

BlockSec Phalcon also mentioned that there had been a previous attack using the same method, targeting MANTA and CERE tokens, resulting in a loss of about $12,000. The total loss from both attacks amounted to approximately $242,000.

After the incident, leading South Korean exchanges Upbit and Bithumb announced the suspension of deposit and withdrawal services for DOT and AssetHub Polkadot network to prevent potential fake deposit risks.

Polkadot officials stated that this vulnerability only affects DOT bridged to Ethereum via Hyperbridge and does not impact DOT assets within the Polkadot ecosystem or DOT transferred through other cross-chain bridges. Polkadot and its parachains, as well as native DOT, remain secure and unaffected. Currently, Hyperbridge has been suspended to investigate the issue.

It is worth mentioning that although the minting scale reached 1 billion, the actual loss was far lower than the theoretical figure. Due to the extremely limited on-chain liquidity of wrapped DOT on Ethereum, the concentrated sell-off of 1 billion tokens instantly crashed the price of wrapped DOT from $1.22 to $0.00012831, a drop of 99.98%, rendering most tokens ineffective for liquidation.

According to CoinMarketCap data, the price of the native DOT token also briefly dropped nearly 5% due to market sentiment.

Users on X candidly stated that who would have thought the cross-chain myth DOT, which once stood alongside Ethereum, would explode on social media in this way. Cross-chain bridges have once again become the "Achilles' heel" of the crypto world, transforming from a previously neglected area into a scene of devastation. When 1 billion DOT appeared out of nowhere, all technical indicators became worthless.

Some users jokingly remarked that the low liquidity saved Polkadot this time, keeping the actual loss around $237,000.

However, the low liquidity of bridged assets, while limiting the hacker's profits, exposed the potential vulnerabilities of the cross-chain interoperability layer.

It is reported that Hyperbridge, developed by Polytope Labs, is a cross-chain interoperability project within the Polkadot ecosystem, which has long relied on cryptographic proofs instead of multi-signature committees as its core security mechanism, positioning itself as a trust-minimized cross-chain infrastructure. The project had previously emphasized its resistance to common bridge attacks.

But this incident may indicate that the integrity of the cryptographic proof mechanism alone is not sufficient to ensure security; the specific implementation logic of the Gateway contract on the Ethereum side also constitutes an attack surface.

From a broader perspective, this incident reflects the ongoing severe security situation in DeFi since 2026. Several significant attacks have occurred this year, including Venus generating $2.15 million in bad debt due to price manipulation, Resolve over-minting 80 million USR, and Drift being hacked for over $285 million in assets, with various attack methods and a wide range of affected areas.

Taking over minting rights for unlimited issuance is not a new attack model. However, due to the extremely shallow liquidity of Hyperbridge, the losses were unexpectedly minimized.

According to CertiK data, there were 46 recorded security incidents in March alone, with total losses of approximately $39.8 million, marking the highest monthly record since November 2024. CertiK also pointed out that the frequency of code vulnerability exploitation has increased, possibly related to the rise of AI-assisted vulnerability discovery tools.

The rise in attack frequency is also prompting the industry to re-examine the boundaries of security and regulation. Circle's Chief Strategy Officer Dante Disparte previously called for protocols, wallets, exchanges, and stablecoin issuers to view security and accountability as a shared obligation in response to the Drift Protocol theft incident, suggesting that DeFi protocols could develop on-chain technical protection measures referencing traditional market circuit breaker mechanisms and promote relevant legislation to incorporate property rights and financial privacy protection standards into law before the next major incident occurs.