Polkadot-Ethereum Bridge Hack Losses Were 10x Worse Than Reported, Team Admits

An exploit that led to the minting of 1 cardinal wrapped Polkadot (DOT) tokens earlier this week is adjacent worse than primitively reported, according to the squad down Hyperbridge. 

What was primitively thought to magnitude to $237,000 worthy of token losses linked to the Polkadot-Ethereum span is really person to $2.5 million—a much than 10x summation from the archetypal report. 

“An attacker exploited a vulnerability successful the Merkle Mountain Range (MMR) impervious verification logic, allowing the culprit to mint assets and drain escrowed assets connected Token Gateway,” the squad posted successful a Thursday postmortem. 

“Our archetypal nationalist estimation of the realized nonaccomplishment was astir $237,000, based connected the instantly observable sell-off of bridged DOT connected Ethereum,” they added. “That fig did not seizure the afloat picture, we aboriginal learned.”

In summation to the $237,000 successful observable losses, a astute declaration was exploited for 245 ETH oregon astir $561,000 hours earlier the malicious DOT token mintings. Plus, 3 connected blockchains—Base, Arbitrum, and BNB Chain—were besides impacted, contradicting the team’s archetypal study that lone wrapped DOT connected Ethereum was affected. 

“Following reconciliation of attacker enactment crossed each of the 4 chains, the two-phase quality of the attack, and losses from the associated inducement pools, the revised full realized nonaccomplishment is astir $2.5 million, denominated successful ETH and DOT astatine the clip of the exploit,” it wrote.

The stolen funds person been traced to a deposit code connected Binance, and the steadfast has engaged the centralized exchange’s compliance squad and applicable instrumentality enforcement successful an effort to frost and retrieve the stolen assets—but it doesn’t expect a solution soon. 

“We are pursuing each disposable channel, but the realistic timeline for meaningful betterment successful a lawsuit of this benignant is measured successful months, and tin widen up to a year,” it added. 

While its extremity is to marque each affected users whole, repaying funds that person been compromised, the protocol indicated that it is “committed to a structured BRIDGE token allocation to screen the residual loss,” should it beryllium incapable to bash so. 

But BRIDGE, its autochthonal protocol token, maintains highly debased volumes, past trading $1,800 implicit 24 hours erstwhile it changed hands for astir $0.006 connected March 29, according to information from CoinGecko. At that terms point, the token had a marketplace headdress of astir $858,000, astir one-third of the full losses from its exploit. 

Bridging functionality connected the 4 affected blockchains remains paused, and volition lone resume aft a spot is deployed and audited. 

“This does not alteration our condemnation that cross-chain interoperability is lone unafraid done cryptographic proofs,” the protocol squad wrote. 

“What this exploit has made clear, expensively, is that verification logic needs much predominant audits and adversarial investigating astatine each furniture of the stack,” it added. “That is the modular Token Gateway volition run nether going forward.”