Key Highlights
- The loss amount for Hyperbridge following the attack is now estimated at around $2.5 million from $237,000.
- The increased loss resulted from incentive pools impacted by the hack from chains such as Ethereum, Base, BNB Chain, and Arbitrum.
- The attack capitalized on vulnerabilities within the Token Gateway contract, leading to the minting of almost 1 billion bridged DOT tokens.
Hyperbridge, a fully decentralized and permissionless protocol, has released a comprehensive update today regarding the exploit that happened on April 13, 2026.
In an X post, the team shared that the revised initial loss estimate had increased from around $237,000 to around $2.5 million, mainly because of the additional impacts on incentive pools over multiple chains.
The firm noted that the majority of the increase reflects losses from incentive pools over Ethereum, Base, BNB Chain, and Arbitrum. It also accepted that the verification logic needs more frequent audits and adversarial testing at every layer of the stack.
Overview of the incident
On April 13, hackers utilized a security flaw in the Token Gateway smart contract operated by Hyperbridge in the Ethereum network. The attack proceeded in stages, where the first stage saw the hacker withdraw roughly 245 ETH, and a little while after an hour, the hacker submitted a fake cross-chain message that circumvented the security protocols’ proof verification feature.
This led to an unprecedented minting of approximately 1 billion bridged DOT tokens, way above normal amounts. Following this move, the hacker cashed out the tokens using decentralized platforms, causing further losses. Bridging operations were stopped immediately after the detection of the issue, and an investigation started with the support of security partners.
The security assessments, involving contributions from companies such as BlockSec and external security researchers, pinpointed the vulnerability associated with the Solidity contract’s Merkle Mountain Range (MMR) proof validity checks. Notably, the vulnerabilities were linked to poor input validation, which involved the lack of checks on the boundaries of proof indexes and poor linkage of proofs with their respective requests.
Another vulnerability allowed for an instantaneous transfer of admin access control without any proper protection mechanism or time locks, allowing for unauthorized minting. It was emphasized by the team that this breach had occurred due to bugs in the implementation of the proof verification process and not the design of the state-proof mechanism itself.
Steps taken by Hyperbridge
The Hyperbridge team has already started tracking the hacked money using blockchain analysis tools, with a notable chunk of it apparently going through exchanges.
The team is working together with the compliance team and authorities in order to freeze these funds for further recovery. The patch for the broader vulnerability class of MMR validation is ready in conjunction with auditors from outside organizations. Bridging operations will be held off until the patch is deployed, independently audited, and an audit report is released.
Opening of the return window
Moreover, Hyperbridge noted that certain regular users, apart from the main attacker, have withdrawn DOT from manipulated escrow pools at the time of or immediately following the attack.
This caused the price of DOT to severely distort as compared to the other assets, permitting small swaps of other tokens for disproportionately large amounts of DOT, which some bridged back to Polkadot. These funds originally belonged to the victims of the exploit.
Hyperbridge has also opened a 14-day return window, where the funds can be voluntarily returned. If no return is made after two weeks, wallet addresses holding unreturned funds will be referred to the authorities.
Broader outlook
This incident highlights that there may be issues even with cryptographic security mechanisms in cross-chain technology because, in this case, the risks occurred at the level of executing the code.
In any case, Hyperbridge confirmed its confidence in the future of proof-of-interoperability for bridging with the caveat that more careful attention would be paid to implementation in the future. The full forensic investigation is likely to take several weeks or months.
Also Read: Fact Check: Is Solana Actually Collaborating With XRP?
