The most ridiculous heist? Hackers mint 1 billion dollars of $DOT, but only steal 230k dollars for "this reason"

Cryptocurrency attack incidents are emerging one after another, but cases like this where “taking big risks to earn small profits” are quite rare. Earlier today (13th), a hacker exploited a vulnerability in the Hyperbridge cross-chain bridge to mint 1 billion Polkadot (DOT) tokens out of thin air on Ethereum, with a nominal value of up to $1.19 billion. However, when attempting to sell these tokens, due to severe liquidity shortages, they only managed to exchange for about $237k worth of Ether.

It should be clarified that the target of the hacker attack was the “cross-chain bridge smart contract,” so the native DOT tokens on the Polkadot mainnet were not affected. The main cause of this vulnerability was that Hyperbridge’s EthereumHost contract failed to properly verify the authenticity of messages before passing cross-chain information to the TokenGateway.

Bridged $DOT (@Polkadot) was just exploited on @ethereum.

Control was transferred to the attacker’s contract, then 1 billion $DOT was minted and instantly dumped. The price plummeted from $1.22 to fractions of a cent.https://t.co/ECDT0RaHE9 pic.twitter.com/WUwxjtsNwr

— Onchain Lens (@OnchainLens) April 13, 2026

Cross-chain bridges have always been the most vulnerable link in blockchain architecture because they hold the management authority over token contracts. Once the verification mechanism is breached, hackers can easily gain the power to mint unlimited tokens.
Attack methods: forging messages, seizing management control, unlimited minting
On-chain tracking shows that the hacker submitted a forged message via dispatchIncoming and successfully directed it to TokenGateway.onAccept. The system should have verified the authenticity of this message based on the status on the Polkadot chain, but the verification mechanism recorded the promise value as “all zeros,” meaning the verification process was completely bypassed or nonexistent. As a result, the system mistakenly treated this fake message as a legitimate command.
The accepted message immediately executed the changeAdmin function on the bridged Polkadot token contract, transferring admin rights to the attacker’s address. After gaining control, the attacker minted 1 billion DOT tokens in a single transaction, then used Odos Router V3 to deposit these tokens into the DOT-ETH trading pool on Uniswap V4. After multiple swaps at slightly different prices, they ultimately withdrew about 108.2 ETH.
“Lack of liquidity” becomes a protective shield
In financial markets, “lack of liquidity” is usually a headache for whales and large traders, but ironically, in this case, the liquidity shortage became an invisible shield, greatly limiting the hacker’s profit potential.
Because the liquidity depth of DOT on Ethereum is extremely limited, it cannot absorb the 1 billion tokens minted out of thin air. When the hacker rushed to sell and cash out, severe slippage caused the actual price per token to fall below one cent.
In a market with deeper liquidity or higher-value bridging assets, the same vulnerability could cause losses dozens of times greater. As of the time of writing, DOT’s trading price is about $1.17, down 5% in the past 24 hours.
This incident again demonstrates that even if hackers have “unlimited minting rights,” whether they can successfully arbitrage ultimately depends on market liquidity and trading depth. The well-known blockchain security firm CertiK later confirmed the attack and stated that the hacker profited approximately $237k by minting and selling the bridged tokens.
As of now, Hyperbridge has not issued any public comment regarding the hacker incident.

#CertiKInsight 🚨

We have seen an exploit on the @hyperbridge gateway contract. https://t.co/h27iDm1JGd

The attacker slipped through a forged message to change the admin of Polkadot token contract on Ethereum and profited ~$237K from minting and selling 1B tokens.

Stay… pic.twitter.com/3t2n4uq5hy

— CertiK Alert (@CertiKAlert) April 13, 2026