The most ridiculous heist in the crypto world? A hacker minted $1 billion worth of DOT tokens but only stole $230k.

Hackers exploited a vulnerability in the Hyperbridge cross-chain bridge to mint 1 billion DOT tokens out of thin air, with a face value of $1.19 billion. However, due to severe market liquidity shortages, they only cashed out about $237k.

Cryptocurrency attack incidents are happening frequently, but cases like this—“taking big risks for small gains”—are quite rare. Earlier today (13th), a hacker exploited a flaw in the Hyperbridge cross-chain bridge to mint 1 billion Polkadot (DOT) tokens on Ethereum, with a nominal value of $1.19 billion. Yet, when attempting to sell these tokens, they only managed to obtain about $237k worth of ETH due to liquidity issues.

It should be clarified that the attack targeted the “cross-chain bridge smart contract,” so the native DOT tokens on the Polkadot mainnet were not affected. The main cause of this vulnerability was that Hyperbridge’s EthereumHost contract failed to properly verify the authenticity of messages before passing cross-chain information to the TokenGateway.

Image source: X/@OnchainLens

Cross-chain bridges have always been the most vulnerable part of blockchain architecture because they hold management permissions over token contracts. Once the verification mechanism is compromised, hackers can easily gain the power to mint unlimited tokens.

Attack methods: forging messages, taking over management rights, unlimited minting

On-chain tracking shows that the hacker submitted a forged message via dispatchIncoming, successfully directing it to TokenGateway.onAccept. The system was supposed to verify the authenticity of this message based on the status on the Polkadot chain, but the verification mechanism recorded the promise value as “all zeros,” meaning the verification process was completely bypassed or nonexistent. As a result, the system mistakenly treated this fake message as a legitimate command.

The accepted message immediately executed the changeAdmin function on the bridge’s Polkadot token contract, transferring admin rights to the attacker’s address. After gaining management control, the attacker minted 1 billion DOT tokens in a single transaction. Using Odos Router V3, they deposited these tokens into the DOT-ETH liquidity pool on Uniswap V4, performing multiple swaps at slightly different prices. Ultimately, they withdrew about 108.2 ETH.

“Liquidity shortage” becomes a protective shield

In financial markets, “liquidity shortage” is usually a headache for whales and large traders. Ironically, in this case, the liquidity shortage became an invisible shield, greatly limiting the hacker’s profit potential.

Because the liquidity depth of DOT on Ethereum is extremely limited, it cannot absorb the 1 billion tokens minted out of thin air. When the hacker rushed to sell and cash out, severe slippage caused the actual price per token to fall below 1 cent.

In a bridge with deeper liquidity or higher value assets, the same vulnerability could cause losses dozens of times greater. As of writing, DOT’s trading price is about $1.17, down 5% in the past 24 hours.

This incident again demonstrates that even if hackers have “unlimited minting rights,” whether they can successfully arbitrage depends ultimately on market liquidity and trading depth. The well-known blockchain security firm CertiK later confirmed the attack and stated that the hacker profited approximately $237k by minting and selling the bridged tokens.

As of now, Hyperbridge has not issued any public statement regarding the hacker incident.

Image source: X/@CertiKAlert

• This article is reprinted with permission from: “BlockCast”
• Original title: “The Most Ridiculous Heist? Hacker Mints $1 Billion in $DOT, Only Steals $237K Due to ‘This Reason’”
• Original author: Block Sister MEL