A recent exploit on the Hyperbridge protocol highlights the ongoing security challenges faced by blockchain bridges. A hacker successfully manipulated a Merkle tree verifier to mint 1 billion bridged Polkadot tokens on Ethereum.
The attacker's gains were capped at $237,000 due to shallow liquidity in the bridged pool, but the incident serves as a reminder of the potential risks associated with proof-based systems.
Security researchers have identified a likely vulnerability in the Merkle Mountain Range (MMR) proof-to-request binding, which allowed the attacker to forge an administrative message and change the Polkadot token contract's ownership on Ethereum.