Alephium TokenBridge on Ethereum Exploited, $815,000 Stolen in 7 Minutes

Blockchain security firm Blockaid reported a fresh exploit involving Ethereum's Alephium TokenBridge, identified on May 30. Investigators say attackers used three of the bridge's four guardian keys—keys later found to be compromised—to sign forged VAAs (Verified Action Approvals), draining about $815,000 in roughly seven minutes. Alephium TokenBridge connects Ethereum and the Alephium blockchain. In normal operation, when users move from Alephium to Ethereum, ALPH is locked on Alephium and a wrapped version (wALPH) is minted on Ethereum. The bridge relies on guardian signatures to validate these cross-chain messages: three of the four guardians must sign for a transfer to be approved. Blockaid's findings indicate the attackers obtained the private keys for three guardians and then generated counterfeit VAAs that appeared legitimate. Beyond triggering wALPH minting, the forged messages also instructed the bridge to release assets that were already locked. This led to the unlocking of Tether (USDT), USD Coin (USDC), Wrapped Bitcoin (WBTC), and Wrapped Ether (WETH). Without making any ALPH deposit, the attackers minted 13.76 million wrapped ALPH. Blockaid noted this exceeded 100% of the previously available wrapped supply, effectively creating ALPH-backed assets without collateral. The incident mirrors prior bridge attacks, including the Wormhole exploit, where attackers minted unbacked assets using forged bridge messages. It also follows a recent exploit of the VerusEthereum bridge that reportedly resulted in losses of about $11.58 million. In total, the compromise of three guardian keys enabled the theft of $815,000 in minutes and the unauthorized minting of 13.76 million wrapped ALPH.