Alephium’s TokenBridge on Ethereum was drained for approximately $815,000 today after attackers compromised three of the bridge’s four guardian keys. The entire exploit unfolded in under seven minutes, according to Blockaid, which flagged the attack as it happened.
The attackers used the compromised keys to sign forged Verified Action Approvals (VAAs), effectively authorizing themselves to mint 13.76 million wrapped ALPH tokens, more than 100% of the supply that existed before the exploit. They also unlocked USDT, USDC, WBTC, and WETH held in custody by the bridge contract.
No Code Exploit Required
This wasn’t a smart contract vulnerability in the traditional sense. The bridge code worked exactly as designed. The problem: it trusted a multisig quorum that no longer belonged to the people who were supposed to hold it. Once the attacker controlled three of four keys, the bridge couldn’t tell legitimate messages from forged ones.
Huntor Labs pointed out the uncomfortable reality. “The bridge contract didn’t need to be ‘hacked’ in the usual way,” the security firm wrote. “The attacker reportedly got control of 3 out of 4 guardian keys. That was enough to make fake bridge messages look valid.”
Second Bridge Hit the Same Day
Alephium wasn’t alone. The Gravity cross-chain bridge was drained for $5.4 million in a similar timeframe, according to Alaoui Capital. That attacker walked away with roughly $4.3 million in USDC and 274 ETH, worth around $550,000. Some of the funds have already been laundered, though over $4 million in ETH remains in the attacker’s wallet.
Both exploits underscore the structural risk baked into cross-chain bridges that rely on off-chain guardian sets rather than on-chain verification. When the guardians are the single point of failure, the question isn’t whether the contract is secure, it’s whether the keys are. Today, in two separate incidents, the answer was no.
