If you just woke up and saw $DOT @Polkadot hacked, here is what I found (long-read) THE SETUP Hyperbridge uses ISMP (Interoperability State Machine Protocol) to bridge Polkadot assets to Ethereum. The architecture: - EthereumHost - stores consensus state & commitments - HandlerV1 - verifies proofs, dispatches messages - Consensus Client - verifies BEEFY/GRANDPA proofs from Polkadot - TokenGateway - mints/burns wrapped assets (DOT, ARGN, MANTA, etc.) Two critical facts about the live config: 1) challengePeriod = 0 (no delay before state commitments become usable) 2) The consensus client (0xA0Ad0CfD02509321AA5968cD04A8E205Ce53669a) is UNVERIFIED - no public source code --- THE ATTACK (one atomic transaction) TX: etherscan.io/tx/0x240aeb9a8… Attacker 0xC513E4f5D7a93A1Dd5B7C4D9f6cC2F52d2F1F8E7 deployed an exploit contract whose constructor executed this entire sequence: 1. Deploy sub-contract (0x31a165a956842aB783098641dB25C7a9067ca9AB) 2. Call run() on sub-contract 3. Sub-contract calls HandlerV1.handleConsensus() with a FORGED Polkadot consensus proof 4. The unverified consensus client accepts the forged proof 5. A malicious state commitment (containing attacker-controlled MMR root) gets stored in EthereumHost 6. Since challengePeriod = 0, the commitment is IMMEDIATELY usable, no fisherman dispute window 7. Sub-contract calls HandlerV1.handlePostRequests() with a crafted MMR proof referencing the just-stored malicious root 8. The MMR verification passes trivially, attacker controls BOTH the root and the proof 9. The forged ISMP message contains: action=ChangeAssetAdmin, source="POLKADOT-3367", newAdmin=sub-contract 10. TokenGateway checks request.source == "POLKADOT-3367" - PASSES (source was embedded in forged MMR leaf) 11. TokenGateway calls DOT.changeAdmin(sub-contract), sub-contract is now DOT admin 12. Sub-contract calls DOT.mint(1,000,000,000 DOT) 13. Sub-contract approves DEX router for max, swaps 1B DOT for 108.2 ETH via Uniswap V4 14. ETH flows back: sub-contract -> exploit contract -> attacker EOA All in one transaction. Gas cost: 0.000339 ETH. Profit: 108.2 ETH. --- WHY THE SOURCE CHECK FAILS TokenGateway's authorization for privileged actions like ChangeAssetAdmin: if (!request.source.equals(host.hyperbridge())) revert UnauthorizedAction(); This byte comparison is not a security boundary. It relies entirely on the integrity of the consensus proof upstream. The source field lives inside the MMR leaf, when the attacker controls the MMR root, they control every leaf, including the source field. The check becomes a tautology. --- ROOT CAUSE Two combined weaknesses: challengePeriod = 0: The challenge period is the only defense against forged consensus proofs. When it's zero, any fraudulent state commitment accepted by the consensus client is immediately exploitable in the same block. No fisherman window. No dispute mechanism. Plant and exploit in one tx. Unverified consensus client: The contract at 0xA0Ad0CfD02509321AA5968cD04A8E205Ce53669a has no public source code. Its verifyConsensus() accepted a forged BEEFY proof. Either a cryptographic bug, a deliberately weakened replacement, or a compromised signing key. --- SCOPE: NOT JUST DOT The attacker exploited multiple Hyperbridge-wrapped assets via the same vector: - DOT: 1B minted (~$1.78B face value) - ARGN (Argon): ~999B minted (~$1.03B face) - MANTA: 211K minted (partially captured by MEV bot) - CERE: ~23B minted (partially captured by MEV bot) All ERC6160Ext20 tokens managed by the same TokenGateway. Same forged ISMP message, different action payloads. --- ATTACKER PROFILE - 33-day-old wallet, seeded from a RAILGUN RelayAdapt contract (not a simple EOA) - Spent a month deploying 15+ test contracts against live state - Used LI.FI/GasZip to bridge ETH across chains immediately after funding (obfuscation) - Pre-deployed custom zk-SNARK verification keys via RAILGUN 8.5 months before the exploit - Laundering confirmed via RAILGUN zk shielded pool, withdrawing in 15 ETH denominations to fresh exit wallets Months of preparation. --- FUND FLOW Primary swap: ~108.2 ETH ($237M) Secondary waves: ~4,924 ETH ($10.8M) Later stablecoin: ~$8M (WETH/USDC/USDT) Total extracted: ~$250M+ EthereumHost is frozen (status=All). Attacker is laundering through RAILGUN. No bridge-out transactions observed yet. Exit wallet 0x43C291c59164e55E27326a719c4FD05a1b72F8b2 holds ~105 ETH from RAILGUN withdrawals. --- KEY ADDRESSES Attacker: etherscan.io/address/0xC513… DOT Token: etherscan.io/address/0x8d01… TokenGateway: etherscan.io/address/0xFd41… EthereumHost: etherscan.io/address/0x792A… Consensus Client (unverified): etherscan.io/address/0xA0Ad… RAILGUN Exit Wallet: etherscan.io/address/0x43C2…
