Key Highlights

  • An attacker forged a bridge message on a Polkadot–Ethereum contract, bypassed proof checks, and took admin control of the bridged DOT token.

  • The exploit allowed the attacker to mint roughly $1 billion worth of bridged DOT on Ethereum. 

  • Thin liquidity on decentralized exchanges limited the realized gain to approximately $237,000.

An attacker exploited a vulnerability in a Polkadot-to-Ethereum bridge contract, minting approximately $1 billion in bridged DOT tokens on the Ethereum network. Despite the scale of the mint, limited on-chain liquidity meant the attacker could only extract roughly $237,000 before the bridged token's price collapsed.

The attack centered on a forged cross-chain message that bypassed the bridge contract's state proof validation. By circumventing this check, the attacker gained administrative control over the bridged DOT token contract on Ethereum and was able to authorize the minting of the token's entire supply without legitimate verification from the Polkadot network.

The gap between the face value of the minted tokens and the amount the attacker realized reflects a structural constraint. Bridged DOT trading pairs on Ethereum-based decentralized exchanges carried limited liquidity. As the attacker began dumping the minted supply, the price of the bridged token fell to near zero, capping the total extracted value at $237,000.

The native DOT token on Polkadot's own network was not directly impacted. The exploit targeted the Ethereum-side representation of the token, meaning users holding DOT natively on Polkadot did not see their balances change. However, holders of the Ethereum-bridged version of DOT likely faced a total loss.

Cross-chain bridges remain one of the most targeted components in decentralized finance. Previous bridge exploits include the Ronin bridge incident ($625 million, 2022) and the Wormhole exploit ($320 million, 2022). While the realized losses in this case were significantly smaller, the pattern is consistent: bridge contracts carry concentrated risk because they act as custodians of value between chains, and a single flaw in message verification logic can compromise the entire supply of a bridged asset.