Another crypto hack drains out a billion tokens

By TheStreet Roundtable

17 days ago

ETH

BRIDGE

DOT

SECURITY

Send

Crypto hacks are no longer rare events.

According to Chainalysis, the industry lost $3.4 billion to crypto theft in 2025, with the top three hacks alone accounting for 69% of all losses.

Attackers have often targeted technical vulnerabilities in smart contracts and cross-chain bridges and on April 13, another such incident occurred.

An exploit on Hyperbridge, a cross-chain communication protocol built on the Polkadot (DOT) network, resulted in a loss of approximately $237,000.

The attacker manipulated a vulnerability in the gateway contract, the digital checkpoint that validates messages moving between blockchains, to fraudulently gain administrative control over Polkadot's token contract on Ethereum (ETH).

What is Polkadot?

Polkadot is a Layer 0 open-source blockchain platform and cryptocurrency that allows multiple blockchains, called parachains, to connect and operate within itself. It enables protocols and blockchains to share their unique features while pooling their security, making it a scalable heterogeneous multi-chain technology.

If the broader blockchain world were a collection of isolated islands, with Bitcoin (BTC), Ethereum, and others, each operating under its own rules, they would be unable to communicate natively with one another. Polkadot is the bridge network that ensures this intercommunication.

A Layer 0 blockchain is the foundational infrastructure that Layer 1 blockchains are built on top of, or connect through. It does not run apps or process everyday transactions itself, unlike Bitcoin and Ethereum. Instead, it provides the underlying framework that makes multiple blockchains work together securely.

It was founded by Gavin Wood (who also co-founded Ethereum), Robert Habermeier, and Peter Czaban under the Web3 Foundation.

Popular on TheStreet Roundtable:

What is Hyperbridge and where did it fail?

Hyperbridge is a protocol designed to enable secure, verified communication between blockchains connected through Polkadot's ecosystem.

In this case, that verification broke down. The exploit exposed a specific edge case in the proof verification logic and insufficient checks in the admin-change function.

Security firm CertiK flagged the transaction and explained that the attacker submitted a forged "proof," recycling data from a previously legitimate transaction.

A flaw in the system's root verification function, a verification step that checks whether a piece of data is legitimate before acting on it, failed to confirm that the data was tied to its original request when only a single data entry was involved.

This made a replay attack possible, meaning the attacker reused an already-approved message as if it were a fresh, valid one.

From there, the exploit moved downstream. A function responsible for changing the administrator of a token contract accepted the attacker's arbitrarily chosen source address without adequate verification.

With admin access secured, the attacker minted one billion tokens and sold them, pocketing the proceeds.

The Hyperbridge team has since acknowledged the breach on X.

"An exploit affected one of our Ethereum contracts. We've paused all bridging and advised partners to halt related transactions while the team contains the issue."

TheStreet Roundtable reached out to Polkadot and Hyperbridge for comments and had not received a response by the time of publication.

At the time of writing, DOT token was down 3.3%, trading at $1.19. ETH was down 1.6% and changing hands at $2,182.73.