A hacker exploited the Polkadot-based cross-chain protocol Hyperbridge, minting 1 billion bridged DOT tokens and netting roughly $237,000. The incident, which only affected bridged DOT on Ethereum, prompted Hyperbridge to pause operations as teams investigated. The exploit follows a separate $130,000 attack on the SubQuery Network, highlighting ongoing security concerns despite a significant year-over-year drop in DeFi exploit losses.
A hacker exploited the Polkadot-based cross-chain interoperability protocol Hyperbridge, netting about $237,000. The attacker minted 1 billion bridged Polkadot (DOT) tokens in a single transaction, according to blockchain data shared by cybersecurity platform CertiK.
Polkadot noted in a Monday social media post that the exploit only affected DOT on Ethereum bridged through Hyperbridge. Native DOT tokens and the wider Polkadot ecosystem remain unaffected.
CertiK said the hacker minted tokens after he “slipped through a forged message to change the admin of Polkadot token contract on Ethereum.” Limited liquidity in the bridged DOT pool capped the proceeds at 108.2 Ether, worth around $237,000.
Hyperbridge paused operations after the attack while the team worked on an upgrade. A contributor, Web3 Philosopher, said the initial diagnosis pointed to a malicious proof that fooled the protocol’s Merkle tree verifier.
Cybersecurity research company Blocksec Falcon said the likely root cause was a Merkle Mountain Range proof replay vulnerability. The final root cause has not yet been confirmed by the protocol.
On Sunday, the data indexing protocol SubQuery Network was also exploited for around $130,000. The vulnerability was due to missing access control data that exposed code written over two years ago.
The vulnerability enabled the attacker to set his own contract as the withdrawal target for staking rewards. Blockchain security auditor Pashov detailed the incident in a social media post.
Hackers stole over $168 million from 34 decentralized finance protocols in the first quarter of 2026. This marks a significant decline from the $1.58 billion stolen in the first quarter of 2025.
