Alephium TokenBridge Exploit

On May 30, 2026, Alephium's cross-chain TokenBridge — a fork of Wormhole — was exploited for approximately $815,000. The attacker submitted forged Verified Action Approvals (VAAs) that the bridge's guardian set accepted as genuine, unlocking custody reserves on Ethereum and BNB Chain in roughly seven minutes.

What happened

Alephium's bridge ran a Wormhole fork secured by only four guardians, far fewer than Wormhole's mainnet set of 19 with a 13-signature quorum. Security firm Blockaid reported that the attacker gained control of three of the four guardian keys — enough to sign six forged VAAs and call completeTransfer on the TokenBridge proxy. Those messages instructed the contract to release custody assets: on Ethereum roughly 200,967 USDT, 17,594 USDC, 5.18 WETH and 0.335 WBTC, plus 36,750 USDT and 24.386 WBNB on the BNB Chain side. The attacker also minted 13.76 million unbacked wrapped ALPH (wALPH) directly to their own wallets.

Aftermath

Alephium halted the bridge and warned liquidity providers to withdraw until further notice. On June 2, 2026, the remaining guardians executed an authorised recovery that burned the unbacked wALPH held in the attacker's wallets in a single transaction, preventing its sale. The roughly $815,000 in real custody assets was not recovered; the team said it was exploring options to make affected users whole.

Why it matters

The Alephium incident is a textbook guardian-quorum failure: a Wormhole fork inherits Wormhole's trust model but not its decentralisation, and four signers is a small target. It echoes the original Wormhole signature-verification bug and the forged-message pattern at Nomad Bridge. Like Gravity Bridge and the Syscoin bridge earlier in 2026, it shows that bridge security collapses to the integrity of off-chain message validation — when an attacker can forge the approvals a bridge trusts, the on-chain code dutifully hands over real assets.