Arkham Flags Polkadot Bridge Exploit, $240K Drained

Bridged DOT just got rugged on Ethereum$1,686.33, not the native Polkadot$1.232 chain. Arkham said earlier today that an attacker exploited a third-party bridge, minted 1 billion bridged dot$0.000417 on Ethereum, and then dumped the counterfeit supply directly into liquidity pools to pull out more than $240,000 in ETH across multiple transactions. ^[1]

That distinction matters. The issue, based on Arkham's description, is not a failure of Polkadot itself, but of the wrapper and verification assumptions used by a separate bridge that issued DOT on Ethereum. Once the attacker could mint unbacked bridged assets, the trade was simple: print fake DOT, sell it into on-chain pools, drain the real asset on the other side. In this case, the real asset was ETH liquidity.

Arkham's public alert went out on April 13 at 06:37 UTC, following earlier detection and disclosure signals between roughly 06:09 and 06:37 UTC. The firm said the attacker removed over $240,000 in ETH "across multiple transactions," which suggests this was not a one-shot drain but a sequenced liquidity extraction. That usually points to an attacker managing slippage, pool depth, or routing across venues rather than simply smashing one pool and taking the worst fill. ^[1]

The headline number is the 1 billion DOT minted on Ethereum. Even if the bridged token had limited liquidity or poor market depth, that amount is so far beyond any credible circulating bridge inventory that it immediately signals a mint control failure. This is the core risk in wrapped asset systems: the market prices a bridged token as if it is redeemable 1:1, but that peg only holds if the bridge's issuance logic is sound. When issuance breaks, the wrapper becomes just another ERC-20 with a logo problem.

No broader contagion has been confirmed yet, and there were no corroborating market impact signals at the time of Arkham's post. Still, the exploit is meaningful for three reasons. First, LPs in the affected Ethereum pools appear to have been the immediate exit liquidity. Second, any protocol that accepted this bridged DOT as collateral or as a pricing input now has to verify whether fake supply reached its contracts. Third, this is another reminder that "bridge risk" is not abstract smart contract boilerplate. It is often the single biggest trust assumption in cross-chain DeFi. ^[1]

The missing piece for now is attribution of the bridge itself. Arkham identified it only as a third-party bridge, and that is the most important operational detail still unresolved publicly. The bridge operator's next steps will determine whether this remains a contained $240,000 extraction or turns into a wider cleanup involving paused contracts, frozen wrappers, liquidity pool rebalances, and potential bad debt elsewhere in DeFi. ^[1]

For traders and protocol teams, the practical watchlist is straightforward: identify the exact bridged DOT contract on Ethereum, track which pools absorbed the dump, check whether any lending markets or vaults integrated the asset, and monitor the bridge team's response for mint pausing or redemption shutdowns. The exploit is small compared with the biggest bridge hacks, but the mechanism is the real story. If a bridge can mint 1 billion fake units of a major asset, the wrapper is only as good as the code and controls behind it.