Summary
On 30 May 2026, the Alephium Bridge was exploited through a fabricated on-chain event. The attacker did not break the bridge’s signature scheme or steal guardian keys. Instead, they deployed a contract on Alephium that emitted a forged Wormhole-style message, the bridge guardians observed that event and signed valid VAAs over it, and the attacker then redeemed those VAAs on Ethereum and BSC. The drain began at 09:16:59 UTC. Alephium’s on-chain report, published on 2 June, frames the loss as approximately $305K of backed collateral stolen plus 13.76 million unbacked wALPH minted. Of that minted total, about 500,000 wALPH was realised into liquidity and 13.26 million was later burned by guardians. Some third-party reports headline the incident at around $815K by valuing a larger share of the minted supply.
What is confirmed and what is pending
Alephium published an on-chain report on 2 June 2026 and was explicit that it is not a full postmortem. A fuller postmortem is still pending. The figures, mechanism, and recovery transaction below are drawn from that official on-chain report and corroborating third-party analysis. Root cause framing at the design level (why guardians signed over an unverified underlying event) is described by Alephium, but the complete remediation and process review remain to be published.
Incident timeline (UTC)
| Time | Event |
|---|---|
| Pre-drain | Attacker buys 485.19 wALPH on Ethereum and bridges it to Alephium, establishing a funded position on the destination chain. |
| 07:00–09:00, 30 May | Attacker disrupts bridge node connectivity, forcing the guardian set onto a fallback validation path. |
| 09:16:59, 30 May | Drain begins. Attacker’s fake-event contract emits forged Wormhole messages; guardians sign VAAs over them. |
| 30 May | Attacker redeems the signed VAAs on Ethereum and BSC, draining collateral and minting unbacked wALPH. |
| 14:49:35, 2 June | Guardians execute a TokenBridge upgrade at block 25,230,400 that burns 13,257,077.37295 wALPH, 96.4% of the unbacked supply. |
| 2 June | Alephium publishes its on-chain report. 500,000 wALPH had already escaped into pools before the burn. |
The attack path
The Alephium Bridge is built on a Wormhole-style guardian model. Guardians watch for designated events on a source chain, and when they see a qualifying message they collectively sign a Verifiable Action Approval (VAA). That signed VAA is the authorisation a destination chain accepts to release or mint tokens. The security assumption is that guardians only sign over events that genuinely originated from the legitimate bridge contracts.
The attacker attacked that assumption directly. First, they prepared a position by buying 485.19 wALPH on Ethereum and bridging it across, giving themselves funds on Alephium to operate with. Between 07:00 and 09:00 UTC they disrupted bridge node connectivity, which forced the guardians onto a fallback validation path rather than their primary one.
They then deployed a contract on Alephium that used the LOG7 instruction to emit events shaped like legitimate Wormhole messages. To the guardians observing the chain, these forged logs looked like real bridge emissions. The guardians signed VAAs over them without recognising that the underlying event was fabricated rather than produced by the genuine bridge contract. With validly signed VAAs in hand, the attacker submitted them for redemption on Ethereum and BSC, draining backed collateral and minting 13.76 million unbacked wALPH.
The binding failure is that a signed VAA carried full authority while the event it attested to was never bound to a trusted contract origin. The signatures were real. The thing they vouched for was not.
Technical evidence and explorer links
The following addresses and contracts appear in Alephium’s on-chain report and corroborating analysis. Full addresses and explorer links are reproduced exactly as published.
| Role | Address / link |
|---|---|
| Attacker (Ethereum) | https://etherscan.io/address/0x6681ebC82551fE52fDB48E65872e85a3ae06921d |
| Attacker (BSC, same address) | https://bscscan.com/address/0x6681ebC82551fE52fDB48E65872e85a3ae06921d |
| Consolidation EOA | https://etherscan.io/address/0xb80a7d612480d121696be6dfe062f5e6d984bfd4 |
| wALPH parking EOA | https://etherscan.io/address/0x0baD8f95a996DeADe828d21DAd765b60c2b2509c |
| Attacker fake-event contract (Alephium) | 24ZjqcvV8vVCn29zd1TThqAtaS8pMvJ4Co1MK5zncPcAB |
| Attacker bridge receiving wallet (Alephium) | 3cUr7y3DuEkkYJj6G7tehG8R21XTMEGXWcUcsu7BxsaR2vKh5twVm |
| LOG7 deployer wallet (Alephium) | 14etamDofb3XmupQyuFQN6c1szQYAduqxjzPq4YjwnPPv |
The recovery action was a TokenBridge upgrade(bytes encodedVM) call, method ID 0x25394645, executed at block 25,230,400 at 14:49:35 UTC on 2 June. It burned 13,257,077.37295 wALPH, 96.4% of the unbacked total. The remaining 500,000 wALPH had already escaped into liquidity pools.
Confirmed vs pending
| Field | Status | Detail |
|---|---|---|
| Incident date | Confirmed | 30 May 2026, drain began 09:16:59 UTC |
| Official report | Confirmed | Alephium on-chain report published 2 June 2026 (not a full postmortem) |
| Backed collateral stolen | Reported by Alephium | Approximately $305K |
| Unbacked wALPH minted | Reported by Alephium | 13.76 million wALPH |
| Realised into pools | Reported by Alephium | ~500,000 wALPH |
| Burned in recovery | Confirmed on-chain | 13,257,077.37295 wALPH, 96.4% of unbacked supply, at block 25,230,400 |
| Alternate headline figure | Reported by third parties | ~$815K (valuing a larger share of minted supply) |
| Full postmortem | Pending | Alephium states a fuller postmortem is still to come |
Why this matters
A valid signature is not the same as a valid event. Guardian and oracle models stake everything on the integrity of what is being signed. Here the cryptography worked exactly as designed; the guardians produced correct signatures over a message that should never have been treated as legitimate. When the thing being attested to can be forged by any contract that emits the right log shape, the signature only certifies that the forgery was observed.
Event emission is not authentication. Using a raw log instruction such as LOG7 to emit a Wormhole-shaped message means the bridge was, in effect, trusting the shape of an event rather than its origin. Any contract can emit any log. Without binding the message to the address of a trusted, known bridge contract, the observer cannot tell a genuine emission from a counterfeit one.
Degraded modes are attack surface. The attacker spent two hours disrupting node connectivity before the drain, forcing guardians onto a fallback validation path. Fallback and degraded paths are often less scrutinised than the primary path, and an attacker who can deliberately trigger them gains a weaker set of checks to work against. The disruption window was not noise; it was setup.
What defenders can take from this
Bind attested events to trusted origins, not just to a format. A guardian or relayer should verify that a qualifying event was emitted by a specific, allow-listed contract address, not merely that it has the expected topics and payload shape. If the validation logic accepts any log that looks right, it is validating syntax, not authenticity.
Treat connectivity disruption as a security signal. A sustained loss of node connectivity that precedes a sensitive operation should raise the bar for what the system will accept, not lower it. Fallback validation paths need to be at least as strict as the primary path, and ideally should pause irreversible actions when the network is degraded.
Plan the burn before you need it. The single most effective part of this response was the ability to execute a privileged upgrade-and-burn that destroyed 96.4% of the unbacked supply. That capability limited the damage materially, but it also depended on minted tokens still sitting where they could be reached. The 500,000 wALPH that had already moved into pools was unrecoverable, which is the strongest argument for detecting an unexpected mint within minutes rather than hours.
Reconcile supply continuously. An unbacked mint of 13.76 million tokens is, by definition, a break in the invariant that wrapped supply equals locked collateral. Continuous on-chain reconciliation of wrapped supply against backing is the control that turns this class of event from a slow drain into an immediate, automated halt.
Sources
- Alephium, “The Alephium Bridge exploit: on-chain report”
- Crypto Times, “Bridge breach unpacked: Alephium traces $815K hack step by step”
- SlowMist Hacked feed
If your protocol depends on guardians, oracles, or relayers attesting to off-chain or cross-chain events, the question is not whether the signatures are valid. It is whether the events being signed are provably bound to a trusted origin, and whether your degraded and fallback paths are as hard to abuse as your primary one. Security4Web3 can review your attestation and validation logic, stress-test your fallback behaviour, and design supply-reconciliation monitoring that halts on the first unbacked mint rather than the last.