A security vulnerability in the crypto market has emerged, this time through the Hyperbridge infrastructure. A flaw in the system that enables asset transfers between Ethereum and other blockchains allowed an attacker to generate tokens with a theoretical value of billions of dollars. However, the profit obtained was far below expectations.
1 billion DOT generated
In the incident that occurred on Sunday, the attacker targeted the verification process in Hyperbridge's gateway contract on Ethereum. Thanks to this vulnerability, 1 billion bridged Polkadot (DOT) tokens were generated. Although this amount corresponds to a value of approximately $1.19 billion on paper, the amount the attacker received after the sale was only about $237,000. The attack targeted the bridge mechanism, not the Polkadot network itself. Therefore, Polkadot's mainnet and native DOT token were not affected. The problem arose in the verification phase of cross-chain messages. Normally, the validity of these messages is confirmed with strong cryptographic proofs. However, it was understood that the verification method used here could be bypassed in a specific scenario.
According to on-chain data, the attacker sent a forged message via the "dispatchIncoming" function in the system. This message was routed to the TokenGateway contract and processed without passing the necessary checks. Specifically, it was found that a zero-value record was kept in the "receipt" check, which should have verified the message's validity. This indicates that the verification process was either incomplete or completely disabled in a particular call path. With the acceptance of the forged message, the attacker gained administrator privileges in the relevant token contract. From this point, the process proceeded very quickly. 1 billion tokens were minted in a single transaction, and then these assets were released into the market through various transactions. Sales were primarily conducted in the DOT-ETH liquidity pool on Uniswap. As a result of sales in multiple transactions, a total of approximately 108 ETH was obtained.
Token price declined
However, the most critical part of the attack emerged here. The extremely limited bridged DOT liquidity on Ethereum caused the sales to put severe pressure on the price. The market couldn't handle such a large supply, and the token price plummeted. As a result, the attacker earned a relatively small amount of money despite having the massive amount.
Security experts point out that such vulnerabilities pose even greater risks, especially in bridge systems. Because bridges have high authority over token contracts on the target chain, even a single error in the verification mechanism can lead to unlimited token production. The main reason the damage was limited in this case was the lack of liquidity. In other words, a similar vulnerability in deeper markets or assets with higher trading volumes could cause much larger losses. There has been no official statement from Hyperbridge yet. Furthermore, it remains unclear whether other tokens using the same gateway infrastructure pose a similar risk.
