Adshares Bridge Minter Key Exploited For $628K Via Fake WADS

On May 17, 2026, the Adshares cross-chain bridge was exploited for approximately $628,000 when an attacker used the bridge-minter Externally Owned Account (EOA) to sign three unauthorized wrapTo() calls on the wADS token contract (0xcfcecfe2bd2fed07a9145222e8a7ad9cf1ccd22a on Ethereum). The attacker provided non-existent native-chain transaction IDs as parameters, effectively minting fake wrapped ADS tokens without any corresponding deposits on the Adshares native chain. The technical execution was straightforward but effective: the bridge-minter EOA — the single authorized account permitted to call wrapTo() — signed three minting transactions for 99,999.93, 99,999.93, and 999,999.94 wADS tokens respectively, totaling approximately 1.1 million fake wADS. The bridge contract lacked verification that the referenced native-chain transaction IDs actually existed or contained valid deposits. Once minted, the attacker dumped the fake wADS tokens through Uniswap V4's UniversalRouter, draining approximately 148.5 ETH and $305,000 USDC from liquidity pools — totaling roughly $628,000 in real assets extracted from liquidity providers. PeckShield flagged the incident as one of eight bridge-related exploits tracked in May 2026, contributing to a cumulative $328.6 million in bridge losses for the month. The Adshares team responded by posting an on-chain whitehat message offering a 10% bounty for the return of 90% of stolen funds. The exploiter accepted the terms, returning 256 ETH (approximately $540,700) to the project's deployer address — representing roughly 86% of stolen funds. The attacker retained approximately $87,000 as a de facto bounty. This exploit exemplifies a recurring vulnerability pattern in bridge architectures: reliance on a single EOA for minting authority without requiring on-chain proof of the corresponding source-chain transaction. The bridge essentially operated on a trust assumption that the minter key would only sign legitimate transactions — an assumption that fails catastrophically upon key compromise. More robust designs require threshold signatures, zero-knowledge proofs of source transactions, or on-chain light client verification. Liquidity providers on decentralized exchanges face particular risk from bridge minting exploits, as fake tokens dumped into pools extract real value from LPs who cannot distinguish legitimate from fraudulent bridge mints. Users providing liquidity to wrapped-asset pairs should monitor the minting authority structure of the wrapped token contract, favor bridges with multisig or threshold minting controls, and consider setting tighter position ranges to limit exposure to sudden large-volume dumps.