Alephium’s TokenBridge was exploited for about $815,000 after an attacker pushed forged messages through the bridge’s backend and had them treated as valid transfer instructions. The attack did not involve stolen guardian private keys, according to Alephium’s later correction and Blockaid’s revised assessment.

The exploit unfolded in roughly seven minutes across Ethereum and BNB Chain, forcing Alephium to shut down the bridge and block new bridge transactions. The speed of the incident showed how quickly cross-chain messaging failures can become liquidity events, even when the underlying chain or user wallets are not directly compromised.

A sincere thank you to the @blockaid_ team for being the first to detect the exploit and for their support throughout the investigation.

We would also like to thank the @SEAL_911 team for their assistance and responsiveness during the incident.

The collaboration and… https://t.co/pxEldVyl5Z

— Alephium (@alephium) May 30, 2026

Forged Events Passed Through Guardian Controls

The root cause was traced to an off-chain vulnerability in the bridge backend, not to a smart-contract bug or direct key compromise. Guardians applied legitimate signatures to illegitimate data, allowing malicious events to pass through a three-of-four quorum model.

The attacker minted about 13.76 million unbacked wrapped ALPH on Ethereum without corresponding ALPH locked on Alephium. That created a dangerous supply mismatch, because the unauthorized wrapped tokens could be swapped against real liquidity if pools remained active.

Alephium’s accounting listed losses on Ethereum of 200,967 USDT, 17,594 USDC, 5.18 WETH and 0.335 WBTC. BNB Chain losses added 36,750 USDT and 24.386 WBNB, bringing the total impact to roughly $815,000.

Liquidity Providers Face Immediate Exposure

Alephium urged users not to provide liquidity to ALPH pools on Ethereum or BNB Chain and to withdraw existing liquidity from Uniswap and PancakeSwap. Any continued swap activity could help the attacker convert unbacked ALPH into real assets, extending the damage beyond the initial bridge drain.

The team said ALPH locked inside the bridge was not drained and should be recoverable through a dedicated process. Alephium also said it would release more details on recovery, remediation and compensation, while keeping the bridge offline during the response period.

Bridge-backed tokens also rely on off-chain message construction, guardian review and backend integrity, all of which can fail before a transaction reaches the destination chain.

The incident highlights the need for stronger validation between backend event generation and guardian signing. Quorum-based security is only as strong as the data guardians are asked to approve, making forged-message resistance a core bridge-design requirement.

The Alephium exploit was modest compared with larger bridge failures, but its mechanism is more important than its size. Cross-chain systems remain concentrated operational risk points, and LPs should treat bridge-issued assets as contingent on every layer of the signing and message-verification stack.