Five months into 2026, and the attacks continue. Blockaid, a blockchain security company, discovered a new exploit targeting Ethereum’s Alephium TokenBridge on the 30th of May.
According to the investigation, three out of four compromised guardian keys that signed forged VAAs (Verified Action Approvals) were used to drain $815,000 in seven minutes.
How were guardian keys compromised?
For context, the Alephium TokenBridge is a bridge that links Ethereum and the Alephium blockchain.
When users switch from Alephium to Ethereum [ETH], the real ALPH is locked on a single chain. Moving ahead, Ethereum is used to mint a wrapped version (wALPH).
Before allowing the mint to proceed, three guardians of the bridge confirm that the lock was indeed made. Additionally, to verify cross-chain transfers, the system uses guardian signatures.
For a transfer message to be approved by the bridge, three of the four guardians have to sign it. However, in the Alephium TokenBridge attack, the three guardian private keys were somehow obtained by the attackers.
After obtaining those keys, they fabricated phony bridge messages known as VAAs and made them seem authentic.
The ‘minting’ twist
In addition to minting ALPH, the forged VAAs gave the bridge instructions to release assets that were already arrested.
As a result of the attackers’ convincing the bridge that there had been valid withdrawals, Tether [USDT], USD Coin [USDC], Wrapped Bitcoin (WBTC), and Wrapped Ether (WETH) were unlocked.
Without making a real ALPH deposit, the attackers made 13.76 million wrapped ALPH. According to Blockaid, this was more than 100% of the previously available wrapped supply.
In other words, the attacker essentially produced a vast quantity of ALPH-backed assets out of thin air.
Similar attacks in the past
This resembles the Wormhole Bridge Exploit, in which attackers created assets that were never backed by collateral and forged bridge messages.
Additionally, this followed a recent attack on the Verus-Ethereum bridge, which depleted approximately $11.58 million.
Final Summary
- In this attack, three out of four compromised guardian keys resulted in the drain of $815,000 in just seven minutes.
- The attackers minted 13.76 million wrapped ALPH without actually depositing any ALPH.
