Key Highlights
- Hyperbridge exploit drained ~$237K after a Token Gateway verification flaw allowed forged proofs on Ethereum.
- Attackers minted excess bridged tokens and quickly sold them on DEXs after bypassing validation checks.
- The impact was limited to bridged DOT tokens, with operations paused as fixes and investigations continue.
Hyperbridge, a fully decentralized and permissionless protocol, reported that a vulnerability led to roughly $237,000 in losses on Ethereum after an attacker exploited its Token Gateway.
In an X post on Monday, the team said bridging operations were paused immediately after the issue was detected, with investigations ongoing.
Attack enabled by proof verification flaw
The exploit was traced to a bug in the protocol’s proof verification logic. Specifically, the issue involved how Merkle Mountain Range (MMR) proofs were validated within a Solidity contract.
Security analysis from BlockSec found that the verification function failed to properly validate certain inputs. This allowed attackers to submit forged proofs that were incorrectly accepted as valid. As a result, a malicious message was processed by the system.
Unauthorized minting and rapid sell-off
After bypassing verification checks, the attacker gained control over the bridged token contract and minted a large volume of synthetic assets.
In this case, approximately 1 billion bridged DOT tokens were created—far exceeding the legitimate circulating supply. The attacker then sold these tokens on decentralized exchanges, extracting value before the issue was contained.
Impact limited to bridged assets
According to the team, the incident affected only bridged DOT tokens on Ethereum. Native Polkadot assets and other parts of the ecosystem were not impacted.
The exploit did not compromise the underlying cryptographic design of the bridge, which relies on blockchain state proofs rather than validator or multisig approval systems.
Broader risks in bridge infrastructure
Cross-chain bridges have been frequent targets of exploits, often due to implementation flaws rather than design flaws. While Hyperbridge aimed to reduce trust assumptions through cryptographic verification, the incident shows that execution errors can still introduce vulnerabilities.
The issue in this case stemmed from missing validation checks rather than a failure of the core bridging model.
Response and next steps
Hyperbridge said it is working with security partners to trace and recover funds where possible. Bridging services will remain paused while fixes are implemented and reviewed.
The team has not provided a timeline for resuming operations, but indicated further updates will follow as the investigation progresses.
Also Read: ZachXBT Slams Apple After Musician G. Love Loses $424K Bitcoin to Fake Ledger App
