An attacker minted $1 billion in fraudulent Polkadot tokens on Ethereum but extracted just $250,000 before liquidity dried up.

An attacker exploited a vulnerability to mint approximately $1 billion worth of fraudulent Polkadot (DOT) tokens on Ethereum but managed to convert only $250,000 into real value before the attack was identified and contained, according to blockchain security firm CertiK. The episode illustrates both the scale at which smart contract exploits can be attempted and the friction attackers face in converting paper gains into actual funds.

The attack targeted a vulnerability in Polkadot’s Hyperbridge interoperability protocol bridge contract or wrapped-asset mechanism that failed to properly authenticate the Polkadot collateral backing the minted tokens. By exploiting that gap, the attacker was able to generate a massive nominal position, but converting those tokens into legitimate assets requires liquid markets willing to buy them.

This story is an excerpt from the Unchained Daily newsletter.

Security researchers at CertiK flagged the exploit onchain and noted the final loss was limited relative to the size of the attempted theft. The genuine DOT token and the Polkadot network itself were not compromised. The attack was entirely on the Ethereum side, through a contract purporting to represent Polkadot assets.

The incident adds to a growing list of bridge and wrapped-token exploits that have cost DeFi users billions over the past several years. Bridges remain among the most structurally vulnerable points in multi-chain DeFi because they require trust assumptions at the boundary between two separate blockchains. The attacker’s inability to monetize the full mint offers a partial defense, but the ability to generate $1 billion in fake tokens in the first place signals that the underlying vulnerability was severe.