Key Highlights
- Hyperbridge’s April 13 exploit stemmed from a vulnerability in its MMR verifier logic.
- Attackers used forged proofs with out-of-bounds leaf indexes to drain token gateway funds.
- Hyperbridge launched a public bug bounty program with rewards up to $50,000 following the incident.
Hyperbridge, a decentralized and permissionless protocol, today published a detailed post-mortem on the security incident that occurred on April 13, 2026, in which an attacker exploited a vulnerability in the protocol’s Merkle Mountain Range (MMR) verifier to drain funds from the Token Gateway contract.
According to the report, the attacker submitted a forged proof containing a leaf with an out-of-bounds index. The MMR verifier incorrectly accepted the proof because it failed to check for leftover leaves after processing peaks in the Merkle structure. This resulted in downstream components treating the forged message as legitimate, allowing the extraction of funds from the Token Gateway settlement layer.
Internal review and security audits
Following the incident, Polytope Labs conducted an internal review and an independent security audit from Security Research Labs (SR Labs). Altogether, the audits recognized 14 vulnerabilities across the verification and settlement stack: 1 critical, 3 high, 5 medium, 4 low, and 1 informational.
Parallelly, Polytope Labs conducted an internal audit of the entire Hyperbridge protocol, and the audits revealed the same class of flaw in two broadly used open-source libraries across the Polkadot ecosystem. Both were revealed privately to their maintainers and have since been patched and include the following:
- paritytech/merkle-mountain-range (used in Polkadot’s pallet-beefy-mmr): Fixed by Parity.
- antouhou/rs-merkle: Hyperbridge is currently running on a patched fork while upstream review continues.
Other issues unveiled comprised duplicate leaf index attacks, empty leaf proofs that returned success, and problems with fee-on-transfer tokens and escrow accounting in the IntentGatewayV2.
Response and bug bounty program
In response, Hyperbridge tightened proof verification rules, reduced the attack surface through code refactoring, and improved settlement logic. The team also launched a public bug bounty program on Hacken Proof with rewards ranging from $200 to $50,000.
Researchers can submit vulnerability reports, including the complete Hyperbridge protocol repository, to earn rewards. All vulnerability classes that could compromise the integrity of messages or funds crossing through Hyperbridge are in scope. The platform will acknowledge, classify, and reward the researchers within three days of approval.
In the X thread, Hyperbridge highlighted transparency and proactive ecosystem responsibility. The exploit was isolated to the Token Gateway and did not compromise the broader cross-chain messaging infrastructure. No further losses have been reported since the pause.
Difficulties in cross-chain solution
The security loophole exploited on April 13 in the MMR Verifier system of Hyperbridge made it possible to extract funds from the Token Gateway through the Merkle proof validation flaw.
Although there was money lost during the hack, the team acted swiftly to stop the system, fix the problems, and conduct security audits that led to addressing many other issues. By making the information about what happened publicly available and sharing it with the wider Polkadot network, the company acted responsibly in terms of security.
The incident highlights the difficulties that persist in developing a safe cross-chain solution. With the protocol restarting its work based on audited code, increased testing, and bug bounties, time will tell how effective it is going to be.
Also Read: Sen. Warren Drops Epstein Bombshell During CLARITY Act Showdown
