The Alephium TokenBridge exploit has added another security breach to a difficult year for cross-chain systems. Alephium said its bridge lost about $815,000 across Ethereum and BNB Chain afte
The Alephium TokenBridge exploit has added another security breach to a difficult year for cross-chain systems. Alephium said its bridge lost about $815,000 across Ethereum and BNB Chain after forged messages moved through the bridge backend and were treated as valid transfers.
Blockaid first detected the attack on May 30 and alerted the SEAL 911 emergency-response unit. The full incident reportedly lasted about seven minutes. Alephium then shut down the bridge and said no new transactions could be started.
The attacker drained USDT, USDC, WETH, WBTC, and WBNB from bridge-linked assets. They also minted 13.76 million wrapped ALPH on Ethereum without locking matching ALPH on the Alephium chain.
Source: XThe Alephium TokenBridge exploit affected a system that connects the Alephium blockchain with Ethereum. In normal transfers, ALPH is locked on one chain. A wrapped version is then minted on another chain after approval from bridge guardians.
That approval process failed in this case. The attacker pushed forged events through the backend. Guardians then signed messages that looked valid to the system, even though the data behind them was false.
Alephium paused the bridge after the incident. The team said the shutdown would remain in place while it prepared a recovery plan, a technical postmortem, and compensation details.
The project also advised ALPH holders on Ethereum and BNB Chain to remove liquidity from Uniswap and PancakeSwap pools. This warning was important because the attacker still held unbacked wrapped ALPH. Any active market liquidity could help convert those tokens into real value.
Source: XAccording to Alephium’s accounting, the attacker drained 200,967 USDT, 17,594 USDC, 5.18 WETH, and 0.335 WBTC on Ethereum. On BNB Chain, the stolen assets included 36,750 USDT and 24.386 WBNB.
The Alephium TokenBridge exploit also created 13.76 million wrapped ALPH on Ethereum. Those tokens were not backed by locked ALPH. Blockaid said the amount exceeded the wrapped ALPH supply that had existed before the incident.
Early reports suggested that three of four guardian private keys may have been compromised. Later updates changed that view.
Blockaid said the incident did not appear to involve stolen guardian keys. Alephium also ruled out a smart-contract bug and a key compromise. The team instead pointed to an off-chain vulnerability in the bridge backend.
That finding changed the main concern. The issue was not simply a lost signing key. It was a system flaw that allowed false events to reach the approval process.
The Alephium TokenBridge exploit appears to have started in the layer between on-chain contracts and off-chain bridge operations. This layer feeds events to guardians for approval.
The guardians gave valid signatures. However, those signatures were attached to invalid data. That meant the bridge accepted forged withdrawal and minting messages as real activity.
This kind of failure is dangerous because it makes bad instructions appear legitimate. Once signed approvals reached the bridge, funds could be released.
Alephium’s bridge fork used four guardians. A transfer required approval from three of them. That design created a small quorum.
A small guardian set can move faster, but it leaves less room for error. If a backend flaw sends false data to enough guardians, the system may still approve it.
The Alephium TokenBridge exploit has renewed debate over bridge quorum design. Larger guardian networks may reduce this risk, but they also add complexity.
The incident follows other bridge failures in 2026. The Verus-Ethereum bridge lost about $11.5 million in May after a validation flaw. Gravity Bridge also suffered a reported $5.4 million drain in a separate case tied to suspected signing issues.
These cases show a common problem. Cross-chain bridges often rely on off-chain verification, message relays, and trusted signers. If one part of that process fails, assets on multiple chains can be exposed.
Alephium said ALPH held inside the bridge itself was not drained and remains recoverable. The team said it would share next steps for affected users after completing its review.
Until then, the bridge will stay offline. The Alephium TokenBridge exploit will likely remain under close review by security teams because the attack involved forged backend events, not a simple smart-contract failure.
The Alephium TokenBridge exploit shows how bridge systems can fail even when private keys remain secure. The attacker used forged messages to unlock assets and mint unbacked wrapped ALPH.
The loss was smaller than some recent bridge attacks. Still, the method matters. It exposed how off-chain backend flaws can turn guardian approvals into a weakness. For Alephium users, the next key update will be the recovery process and full postmortem.
Alephium TokenBridge: A cross-chain bridge that connects Alephium with Ethereum and supports wrapped ALPH transfers.
Forged Messages: Fake bridge instructions that appeared valid after being signed by guardians.
Wrapped ALPH: A tokenized version of ALPH minted on another blockchain after real ALPH is locked.
Bridge Guardians: Validators that approve cross-chain transfer messages before assets are released or minted.
Off-Chain Vulnerability: A flaw outside the smart contract layer that affected bridge backend operations.
SEAL 911: A crypto security emergency-response group that helps projects respond to active exploits.
BNB Chain: A blockchain network where part of the stolen bridge-linked assets were drained.
Liquidity Pools: Trading pools on decentralized exchanges that attackers can use to convert stolen or unbacked tokens.
It was a bridge attack where forged backend messages were signed and accepted as valid transfers.
Alephium reported about $815,000 in losses across Ethereum and BNB Chain.
Alephium and Blockaid later said the attack did not appear to involve stolen private keys.
The drained assets included USDT, USDC, WETH, WBTC, and WBNB. The attacker also minted unbacked wrapped ALPH.
References
