Alephium, a proof-of-work Layer 1 blockchain, lost roughly $815,000 across Ethereum and BNB Chain on Friday after an attacker forged guardian messages through the bridge backend. The project confirmed that no private keys were compromised — the attacker simply pushed fake messages that the bridge treated as legitimate transfers.
How the attacker got through
The exploit didn't require stealing keys or breaking encryption. Instead, the attacker manipulated the bridge's backend to forge messages from legitimate guardians. Those messages instructed the bridge to release funds on the target chains as if a real cross-chain transfer had occurred. Alephium runs a private fork of the Wormhole bridge, which uses a guardian network to validate transfers. The attack targeted that backend specifically.
What was taken
Alephium lost about $815,000 in total, spread across Ethereum and BNB Chain. The project didn't specify which assets were drained, only that the attacker managed to push through fake transfer requests on both chains. The incident happened Friday, and the project has not yet announced whether it has paused bridge operations or started recovery efforts.
A private fork with public risks
Alephium's choice to run a private fork of the Wormhole bridge means it controls its own guardian set and backend code. But that independence also means the security of the bridge depends entirely on Alephium's own infrastructure. The Wormhole mainnet has been audited by multiple firms; a private fork may not have received the same level of scrutiny. Friday's attack suggests that the backend — the piece that processes guardian messages — had a flaw the attacker could exploit without needing access to any guardian keys.
The exact vulnerability hasn't been disclosed, and it's unclear whether the same bug could affect other Wormhole forks. Alephium has not publicly shared a timeline for a post-mortem or a fix.
