What was originally thought to amount to $237,000 worth of token losses linked to the Polkadot-Ethereum bridge is actually closer to $2.5 million—a more than 10x increase from the initial report.
The attacker extracted roughly 245 ETH from a related TokenGateway contract.
About an hour later, a forged cross-chain message bypassed MMR proof verification, allowing the attacker to mint 1 billion bridged DOT and dump them into thin liquidity.
“Following reconciliation of attacker activity across each of the four chains, the two-phase nature of the attack, and losses from the associated incentive pools, the revised total realized loss is approximately $2.5 million, denominated in ETH and DOT at the time of the exploit,” it wrote.
The stolen funds have been traced to a deposit address on Binance, and the firm has engaged the centralized exchange’s compliance team and relevant law enforcement in an attempt to freeze and recover the stolen assets—but it doesn’t expect a resolution soon.
“We are pursuing every available channel, but the realistic timeline for meaningful recovery in a case of this type is measured in months, and can extend up to a year,” it added.
While its goal is to make all affected users whole, repaying funds that have been compromised, the protocol indicated that it is “committed to a structured BRIDGE token allocation to cover the residual loss,” should it be unable to do so.
Bridging functionality on the four affected blockchains remains paused, and will only resume after a patch is deployed and audited.
“This does not change our conviction that cross-chain interoperability is only secure through cryptographic proofs,” the protocol team wrote.
“What this exploit has made clear, expensively, is that verification logic needs more frequent audits and adversarial testing at every layer of the stack,” it added. “That is the standard Token Gateway will operate under going forward.”
