Alephium Bridge Hit by Forged Message Exploit, $815K Drained

Alephium, a proof-of-work Layer 1 that operates a private fork of the Wormhole bridge, said it lost roughly $815,000 on Friday across Ethereum and BNB Chain after an attacker pushed forged messages through the bridge's backend, making the transfers appear legitimate. The team has taken the bridge offline and said no new transactions can be initiated. According to Alephium's accounting, the attacker withdrew 200,967 USDT, 17,594 USDC, 5.18 WETH and 0.335 WBTC on Ethereum, plus 36,750 USDT and 24.386 WBNB on BNB Chain. The attacker also minted 13.76 million wrapped ALPH on Ethereum without any corresponding ALPH locked on the Alephium chain. Blockchain security firm Blockaid said the full exploit unfolded in about seven minutes. Blockaid reported it first and involved the SEAL 911 emergency-response unit. While the loss is modest compared with 2026's broader bridge toll — PeckShield data puts cumulative cross-chain bridge losses at about $329 million through mid-May — the method is drawing attention. Early reports, including from Blockaid, initially pointed to compromised guardian keys. Alephium and Blockaid later revised that assessment. In a follow-up, Blockaid said the incident "does not appear to have involved a compromise of guardian private keys." Instead, it "appears to have involved an exploit that allowed forged malicious events/messages to be observed and signed by guardians." Alephium's post-incident statement likewise cited "an offchain vulnerability in the bridge backend that could be triggered in specific edge cases," and said it found no smart-contract bug or key compromise. The difference matters operationally: a stolen-key incident is a custody and device-security failure, while a forged-event incident points to a software-layer breakdown between on-chain bridge contracts and the off-chain pipeline that presents data to guardians for signing. In this case, guardians produced valid signatures over invalid data, and six signed approvals were enough to drain the bridge. Alephium's fork uses a four-guardian set with a quorum of three. Wormhole mainnet, by contrast, runs 19 guardians with a 13-signature quorum. With a smaller set, a backend flaw that gets a forged message in front of a few guardians needs fewer confirmations to pass, amplifying the impact when the off-chain feed is corrupted. Alephium said ALPH held inside the bridge itself was not drained and can be recovered. The team urged ALPH holders on Ethereum and BNB Chain to pull liquidity from Uniswap and PancakeSwap pools immediately, warning that ongoing swap activity could allow the attacker to convert the 13.76 million unbacked wrapped ALPH still sitting in the exploiter's wallet into real value. The incident adds to a busy year for cross-chain bridge attacks. The Verus-Ethereum bridge lost $11.5 million on May 18 to a backing-validation flaw, and Gravity Bridge was drained of $5.4 million on May 30 in a suspected signing-key compromise. CrossCurve and Hyperbridge were hit earlier in the year by fabricated-message and verifier bugs. Alephium said it will announce a recovery process for users with ALPH locked in the bridge next week, alongside a full technical postmortem and details of a compensation plan. The bridge will remain offline until then.