-2.81%
-5.31%
-3.11%
-2.13%
+1.52%
+0.07%
Hackers have drained approximately $815,000 from Alephium’s Token Bridge on Ethereum by minting 13.76 million wrapped ALPH tokens through forged transactions. The exploit prompted an immediate warning from the project for liquidity providers to withdraw their funds, adding to a growing series of bridge attacks throughout May 2026.
How the Attack Unfolded
On May 30, attackers successfully compromised Alephium’s Token Bridge by forging Verified Action Approvals, or VAAs. These cryptographic messages are used to authorize cross-chain transfers between blockchains. By creating false VAAs, the attackers minted a substantial amount of wrapped ALPH tokens that exceeded 100% of the token’s prior wrapped circulation.
Blockchain security firm Blockaid initially reported that the exploit resulted from a compromise of three out of four guardian keys protecting the bridge. According to their analysis, this gave the attacker a signing majority to forge the necessary VAAs within approximately seven minutes.
Alephium Disputes the Cause
The Alephium protocol has pushed back on this assessment. The team stated that the exploit was NOT caused by a compromise of the guardian keys, contrary to some early external reports.
Instead, Alephium claims the vulnerability stemmed from an offchain vulnerability in the bridge backend that could be triggered in specific edge cases.
On-chain analyst Specter confirmed that the attack impacted both the Ethereum and BNB Chain bridge contracts. Stolen funds were moved from BNB Chain to Ethereum, with a portion deposited into Tornado Cash. The drained assets included 200,967 USDT, 17,594 USDC, 5.18 WETH, and 0.335 WBTC from Ethereum, along with 36,750 USDT and 24.386 WBNB from BNB Chain.
A Brutal Month for Bridge Security
May 2026 has been particularly brutal for cross-chain infrastructure. The Alephium exploit is part of a troubling pattern of bridge attacks highlighting persistent vulnerabilities in these critical DeFi components.
Other major incidents in May include:
- Gravity Bridge: On May 30, the same day as Alephium, Gravity Bridge lost $5.4 million, suspected to be due to a contract key compromise
- Verus-Ethereum Bridge: Around May 18, this bridge suffered an $11.5 million loss from a verification bypass exploit
- THORChain: A coordinated attack on May 15 across Bitcoin, Ethereum, BNB Chain, and Base resulted in a $10 million loss
Across 2026 alone, cross-chain bridges have lost over $326 million through mid-May. According to DefiLlama data, bridge protocols account for $3.2 billion of the $16.6 billion in total value hacked across crypto history. This represents a disproportionately high share given how few bridge protocols exist relative to other DeFi components.
Immediate Action Required for Users
In response to the exploit, Alephium has urgently advised users providing liquidity to ALPH pools on Uniswap or PancakeSwap to withdraw their funds immediately. The project clarified that because the bridge has been shut down, the attacker cannot redeem or bridge the unauthorized wrapped ALPH back through the official Alephium bridge.
This measure prevents additional liquidity or trading activity from increasing the attacker’s ability to realize value from the illicitly minted tokens. Users are strongly advised against providing new liquidity or swapping against these affected pools.
The Alephium team is focused on recovery and remediation efforts, with promises to release further updates in the coming week. As of the latest report, ALPH trades at $0.037, with a market capitalization exceeding $5 million.
DefiLlama data indicates Alephium’s total value locked (TVL) across its DeFi protocols sits at approximately $756,000, with over $308,000 in bridged TVL. The increasing frequency of attacks on cross-chain bridges underscores the urgent need for enhanced security measures and robust auditing throughout the DeFi ecosystem. For a protocol still building its user base, this exploit represents a significant setback in both reputation and liquidity.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates
