Crypto Hacker Mints $1.1 Billion in Polkadot via Ethereum Bridge, But Can Only Cash Out $237K

A method exploit of blockchain token span Hyperbridge led to the artificial instauration of 1 cardinal Polkadot (DOT) tokens valued supra $1.1 billion—but it lone saw astir $237,000 successful losses owed to constricted liquidity, the steadfast reported connected Monday. 

The protocol, which allows users to transportation funds to and from chiseled blockchains—like Ethereum to Polkdaot—said the exploit was arsenic a effect of a vulnerability successful its impervious verification logic. The malicious histrion has not yet been identified. 

“This flaw allowed invalid proofs to beryllium incorrectly accepted arsenic valid,” Hyperbridge posted connected X. “As a result, a malicious connection was processed that granted the attacker administrative power of the bridged DOT token declaration connected Ethereum.” 

Once the exploiter gained entree to the bridged DOT token contract, they proceeded to mint 1 cardinal bridged DOT tokens—which exceeded the existent bridged DOT token proviso by astir 2,800 times. For reference, the full native, non-bridged DOT proviso is lone 1.6 cardinal tokens.

The steadfast and the squad down the Polkadot blockchain confirmed the exploit was confined to lone bridged DOT connected the Ethereum blockchain.

After minting the tokens, the attacker past sold them straight connected decentralized exchanges, making distant with astir $237,000—the magnitude that was disposable successful trading liquidity.

Should determination person been capable liquidity, idiosyncratic with astir 1 cardinal DOT tokens could basal to summation much than $1 cardinal arsenic the token trades astir $1.17, down 4.6% successful the past 24 hours.

At that mark, DOT has present fallen much than 68% successful the past twelvemonth of trading and is astir 98% disconnected its November 2021 all-time precocious of $54.98. DOT is presently conscionable supra its all-time debased terms of $1.15, acceptable successful February.

The protocol’s app is down for attraction arsenic it adds “additional safeguards” and works with information partners successful an effort to retrieve swiped funds. 

Bridge protocols person been astatine the halfway of aggregate exploits implicit the years, highlighted by Ronin Network’s $552 cardinal exploit successful 2022 erstwhile hackers attacked its autochthonal span to Ethereum. The exploit remains 1 of the largest crypto hacks of all-time, and was linked by U.S. authorities agencies to North Korea’s infamous state-sponsored Lazarus hacking group.

The latest exploit adds to a mounting database of concerns surrounding the information of DeFi protocols, pursuing the caller exploit of Solana’s Drift Protocol, which mislaid more than $285 million connected April 1 to a North Korean-linked hacker.