OPUL Bridge Exploit

Forensic Report · Last updated 31 March 2026

Total OPUL Stolen

~475 Million

Chains Affected

Attack Date

13-14 Mar 2026

Root Cause

Bridge Exploit

Executive Summary

On March 13 and 14, 2026, an attacker exploited a vulnerability in the Messina cross-chain bridge to steal approximately 475 million OPUL tokens from bridge escrow vaults across three blockchains: Arbitrum, Ethereum, and BSC.

The vulnerability was a token multiplication flaw in the bridge's hop() function. By repeatedly calling this function, the attacker was able to generate new legitimate transfer approvals from a single original deposit, multiplying the claimable amount up to 143 times. The bridge's Guardian network, which is designed to sign all valid on-chain events without evaluating business logic, signed each of these approvals as legitimate.

The stolen tokens were rapidly sold on decentralized exchanges for ETH, USDC, and USDT. Our forensic investigation has traced the full flow of funds, identified 28 confirmed attacker wallets, and established direct links to two centralized exchanges (OKX and Gate.io) that the attacker used to fund the operation. A police report has been filed with the BVI Police, and we are cooperating with law enforcement to identify the attacker through exchange KYC records.

1. Root Cause

The root cause analysis was provided by the Messina bridge security team. The vulnerability stems from three issues that, combined, allowed the attacker to multiply tokens from a single deposit.

1.1 Identical Events from Bridge and Router

The Messina bridge has two smart contracts that interact with the Wormhole messaging protocol: the Bridge (for normal token transfers) and the Router (for cross-chain hops). Both contracts emit the exact same LogMessagePublished event through the Wormhole Core contract. The only difference is the sender address. This means, from the Guardian network's perspective, events from both contracts look identical.

1.2 Guardians Sign Everything

The Wormhole Guardian network is designed as a protocol-agnostic notary. Guardians only verify that an event was emitted from the Core Wormhole contract and that the block has been finalized. They do not evaluate:

Which contract emitted the event (Bridge, Router, or any other)
What the payload contains (transfer, hop, attestation, etc.)
Whether the underlying business logic is valid

This is by design, as the Guardian network serves multiple protocols with different business logic. The responsibility for validation sits at the smart contract level.

1.3 Missing Validation in hop()

The Router's hop() function lacked critical validation checks. Specifically, it did not prevent:

Same-chain hops: Calling hop() with the current network as the destination
Recursive hops: Using a VAA generated by a previous hop() as input for another hop()
Emitter address validation: Checking whether the VAA came from the Bridge or the Router

The result: The attacker could lock a small amount of tokens, receive a legitimate VAA (Verified Action Approval), call hop() on that VAA to generate a new VAA, call hop() on the new VAA to generate yet another, and repeat this cycle. Each hop() call generated a new Guardian-signed VAA for the same token amount. The attacker then claimed each VAA on the destination chain, receiving the full token amount every time. This produced a 143x multiplication from a single original deposit.

2. How the Attack Worked

Attacker
calls hop() on Avalanche

→

Router
emits event

→

Guardians
sign VAA

→

Chain vault
releases tokens

→

Attacker wallet
receives OPUL

→

DEX pool
OPUL sold

The attack followed this sequence:

Funding: The attacker funded relay wallets on Avalanche using AVAX from OKX and USDt from Gate.io.
Seed deposit: A small amount of OPUL was locked on the Avalanche bridge, generating a legitimate VAA signed by the Guardian network.
Multiplication: The attacker called hop() repeatedly on the Avalanche Router, using each new VAA as input for the next hop. Each call generated a fresh Guardian-signed VAA for the same token amount.
Claims across chains: The attacker claimed the multiplied VAAs on Arbitrum, Ethereum, and BSC, draining OPUL from each chain's bridge escrow vault.
Liquidation: Stolen OPUL was rapidly sold on decentralized exchanges (primarily on Arbitrum) for ETH, USDC, and USDT. The attacker continued selling throughout the day.

Attack Timeline

Time (UTC)	Chain	Event
13 Mar, ~14:28	Ethereum	First exploit claims begin on Ethereum
13 Mar, ~20:47	BSC	Exploit expands to BSC
14 Mar, ~04:11	Arbitrum	Main exploit phase begins on Arbitrum (largest volume)
14 Mar, ~15:46	Avalanche	Attacker receives OKX and Gate.io funding for relay wallets
14 Mar, ~20:33	Arbitrum	Last exploit transactions recorded

3. What Was Stolen

3.1 Stolen Tokens by Chain

Based on the combined analysis from our forensic investigation and Messina's root cause report, the total stolen tokens break down as follows:

Chain	OPUL Stolen	Attacker Wallets	Escrow Vault
Arbitrum	436,209,123	11	0x9b3f...bf7
Ethereum	37,477,500	1	Ethereum bridge vault
BSC	1,289,995	1	BSC bridge vault
Total	~474,976,619	13

Our independent investigation verified 819 exploit transactions on Arbitrum that drained the Arbitrum escrow vault through unauthorized completeTransfer() calls to the exploited bridge relay contract. The Ethereum and BSC chains were exploited separately using the same hop() multiplication technique.

3.2 Key Infrastructure Addresses

These are victim-side and bridge infrastructure addresses. They are not attacker wallets.

Role	Address	Chain
Victim vault (bridge escrow)	0x9b3fb3b1b5d994750d66dcc5ad7a6c7477b00bf7	Arbitrum
Exploited bridge relay	0x537816fbb8ec6078fb8b51f3bc35d5444edcb361	Arbitrum
Bridge emitter (Router)	0x0f7ba1632447ded5dd18ceb65755e3d36aff4587	Avalanche
OPUL token contract	0x0c5fa0e07949f941a6c2c29a008252db1527d6ee	Arbitrum

4. Confirmed Attacker Wallets

The following wallets are confirmed as part of the attack infrastructure. Each has a direct, provable on-chain link to the exploit: it either called completeTransfer() on the exploited relay contract, was funded by exchanges to execute the relay phase, received stolen proceeds, or was identified by Messina as a claim destination.

4.1 Primary Recipients (Arbitrum)

These wallets received the largest amounts of stolen OPUL directly from the Arbitrum escrow vault.

#	Wallet	Role	OPUL Received
1	0x3c6e...cb33	completeTransfer() caller	173,576,501
2	0x80fb...880a	completeTransfer() caller	69,839,545
3	0x50a9...72a3	completeTransfer() caller	67,451,590
4	0xa2f2...9019	Relay wallet + DEX seller (OKX + Gate.io funded)	53,297,206
5	0xa60d...cf40	completeTransfer() caller	42,604,889
6	0x5960...47d1	Relay wallet (OKX + Gate.io funded)	17,393,164
7	0x4713...bc31	Relay wallet (OKX funded)	7,406,514
8	0x0b20...c4e5	completeTransfer() caller	4,638,033

4.2 Cross-Chain Recipient

This wallet received stolen OPUL on both Ethereum and BSC, as identified by Messina's analysis.

Wallet	Chain	OPUL Received
0x0250...fc62	Ethereum	37,477,500
0x0250...fc62	BSC	1,289,995

View all 28 confirmed attacker wallets

#	Wallet	Role
1	0x65a8f07bd9a8598e1b5b6c0a88f4779dbc077675	Origin wallet, multichain operator
2	0x3c6e095b601a40f355add029c3fe03e7cb9dcb33	completeTransfer() caller
3	0x80fbb6cb338479f1d26e37fab45675788b56880a	completeTransfer() caller
4	0x50a95f7d14514dd4081122d5811a59dd5f2f72a3	completeTransfer() caller
5	0xa2f2ffaaeac36051ca70961840275c922c499019	Relay wallet + DEX seller
6	0xa60dccdea8dae2fc94ee5c1672d4a8d690c0cf40	completeTransfer() caller
7	0x596020fa8da30da5449d95468f200d7b5c7c47d1	Relay wallet (OKX + Gate.io funded)
8	0x4713f9d54f5bf2f7155e2a9f89cf0631fc60bc31	Relay wallet (OKX funded)
9	0x0b20c5ecb56f9bcc05147c673c6c734d388ac4e5	completeTransfer() caller
10	0x4795f37be8b65503c2116afb5577cffa545a6ca5	completeTransfer() caller
11	0xe6a2f70eeb6cd60a5626d8834da4ee8012da9036	completeTransfer() caller
12	0x7c72d894f8cfbca0cedc43985356765ba7312592	completeTransfer() caller
13	0xa06f3c927cf04c7f27b7af3ec8c9a44b7c772f27	completeTransfer() caller
14	0xaba0782cb9b8bb21fbfe2c951a887bbf8302973e	completeTransfer() caller
15	0x24b9b0eae8fa1236b2edf25b1e0c3ce0690073db	completeTransfer() caller
16	0xcf363eb7671cff998907c0479c3844e6dce05ddb	completeTransfer() caller
17	0x9fff7a309ff09d41f04f8b0ed76483ee6c4addb3	completeTransfer() caller
18	0xb0fb15c2e9a6654901c37eb015923970bccce522	completeTransfer() caller
19	0xfabc88f604a25f177e2ca284256f2bccb84fd9c2	completeTransfer() caller
20	0x6a4576c1d6fb52217d27f26af5ec06c1be5c7921	completeTransfer() caller
21	0x59d011da9f85a53096459a41966a32ccd20ff936	completeTransfer() caller
22	0x1aafacc008099845d6c35df8c5925c8e659c4400	completeTransfer() caller
23	0xecb7ae3a8c07e47781d6da768c7acd13c56d4c48	completeTransfer() caller
24	0x00e0fd870441c669bacf58b2ccef9fff6f6da637	Operational wallet
25	0x1f9dbcf911ab881fe95a7ca514d2069e215da7b5	Direct recipient
26	0x4cd00e387622c35bddb9b4c962c136462338bc31	Cash-out contract
27	0xb92fe925dc43a0ecde6c8b1a2709c170ec4fff4f	Cash-out contract
28	0x025031a6587faf0680b64bbbf211e20de4d4fc62	Cross-chain recipient (ETH + BSC)

5. Exchange Evidence

The attacker funded the relay wallets on Avalanche using two centralized exchanges. These exchange-linked transactions represent the strongest leads for identifying the attacker through KYC records.

5.1 OKX Funding (Avalanche)

Three AVAX withdrawals from an OKX-confirmed custodial wallet directly funded wallets that then executed the bridge exploit.

Time (UTC)	To	Amount	TX Hash
14 Mar, 15:46	0x4713...bc31	1.045 AVAX	0x8b81...a8f4
14 Mar, 15:49	0x5960...47d1	1.000 AVAX	0x0d48...7511
14 Mar, 16:14	0xa2f2...9019	1.000 AVAX	0x2601...4eef

5.2 Gate.io Funding (Avalanche)

Four USDt transfers from a publicly labeled Gate.io wallet funded the same relay wallets.

Time (UTC)	To	Amount	TX Hash
14 Mar, 15:49	0x5960...47d1	399.95 USDt	0xe5c3...acef
14 Mar, 16:12	0xa2f2...9019	199.95 USDt	0x57cd...4ed0
14 Mar, 16:23	0x5960...47d1	199.95 USDt	0x0973...abf3
14 Mar, 16:40	0x5960...47d1	166.90 USDt	0xcf98...278e

Cross-exchange coordination: Relay wallet 0x5960...47d1 received OKX AVAX and Gate.io USDt at the same minute (15:49 UTC). Relay wallet 0xa2f2...9019 received Gate.io USDt at 16:12 and OKX AVAX at 16:14. Both wallets immediately executed the bridge exploit. This strongly indicates a single attacker operating accounts on both exchanges.

6. Our Response

Immediate bridge shutdown: The Messina bridge was halted as soon as the exploit was detected to prevent further drainage.
Forensic investigation: We conducted a complete on-chain reconstruction of the vault drain, tracing all 819 exploit transactions on Arbitrum and over 1,600 subsequent selling and movement transfers.
Root cause analysis: Messina's security team identified and documented the technical vulnerability (hop() token multiplication).
Exchange notifications: OKX and Gate.io were contacted with full transaction evidence and asked to freeze accounts linked to the attacker and preserve KYC records.
Police report filed: A formal police report has been filed with BVI Police, including all attacker wallet addresses and exchange-linked evidence.
Ongoing monitoring: All 28 confirmed attacker wallets remain under active monitoring for any movement of remaining funds.

7. How to Verify

All evidence in this report is verifiable on public blockchain explorers. You do not need to trust us. You can independently confirm every claim.

Verify the vault drain: Go to the victim vault on Arbiscan, click "Token Transfers," and filter for OPUL. You will see the 819+ exploit outflows alongside a small number of legitimate transfers.
Verify any attacker wallet: Click any wallet address in Section 4. On Arbiscan, check its transaction list for calls to the exploited relay contract 0x537816fbb8ec6078fb8b51f3bc35d5444edcb361.
Verify exchange funding: The OKX and Gate.io transactions in Section 5 can be verified on Snowtrace (the Avalanche blockchain explorer). The source addresses are publicly labeled as OKX and Gate.io wallets.
Verify cross-chain claims: The Ethereum claims can be verified on Etherscan and the BSC claims on BscScan.

Sources: This report is based on our independent on-chain forensic investigation (Arbitrum and Avalanche transaction analysis), Messina's official Root Cause Analysis, and Messina's exploit wallet and transaction data. All on-chain data is independently verifiable on Arbiscan, Snowtrace, Etherscan, and BscScan.

← Back to main page