Key Highlights
- Hyperbridge launched a public bug bounty program on HackenProof.
- Critical vulnerabilities can earn rewards of up to $50,000.
- The scope includes cross-chain messaging and smart contract risks.
Hyperbridge, a decentralized cross-chain interoperability protocol developed by Polytope Labs, has officially rolled out a comprehensive bug bounty program on the HackenProof platform today. The initiative invites independent security researchers to investigate its runtime, pallets, and smart contracts, offering rewards up to $50,000 for critical vulnerabilities.
According to the official announcement, the platform mentioned, “The Hyperbridge bug bounty is now live on HackenProof. Independent security researchers can review the Hyperbridge codebase and submit vulnerability reports through the security platform.”
The announcement came weeks after an exploit in April 2026 in which around $2.5 million was lost. The incident involving the minting of bridged Polkadot (DOT) tokens and subsequent liquidation highlighted risks in cross-chain messaging and proof verification systems.
The reward system and the scope
Hyperbridge’s reward system is tiered by severity:
- Low severity findings—$200
- Medium severity findings—$2,000-$5,000
- High severity findings—$5,000-$15,000
- Critical severity findings—Up to $50,000
The scope of the program covers the complete Hyperbridge protocol repository, including issues associated with logic flaws, access control, reentrancy, cross-chain message spoofing, state manipulation, and anything that could compromise message or fund integrity.
Out-of-scope items consist of theoretical vulnerabilities without proof, compiler version issues, gas optimizations, code style violations, and front-running attacks that do not have broader impact.
The program requires responsible disclosures exclusively via HackenProof, limiting direct contact with the team or public discussion of findings. Reports are reviewed, classified, acknowledged, and approved after that. Once approved, the reward will be transferred within three days.
Only the first reporter of a qualifying vulnerability is considered eligible, and submissions must comprise detailed reproduction steps and proof-of-concept code where applicable and stick to strict disclosure rules. AI-generated reports that won’t contain runnable PoCs will not be accepted.
Post-mortem of the attack
Following the attack, Hyperbridge published a detailed post-mortem of the exploit yesterday. The report mentioned that an attacker exploited a flaw in the Merkle Mountain Range (MMR) verifier by submitting a forged proof with an out-of-bounds leaf index.
The verifier wasn’t able to detect leftover leaves after processing peaks, permitting the forged message to be accepted as valid and permitting unauthorized fund drainage from the Token Gateway contract.
After this, Polytope Labs performed an internal review and ordered Security Research Labs (SR Labs) to perform an independent audit. Both the audits found 14 vulnerabilities across the verification and settlement stack: 1 critical, 3 high, 5 medium, 4 low, and 1 informational.
Aggressive approach following vulnerability
This bug bounty program represents an aggressive approach after the latest vulnerability. Through sharing its code with the wider security industry, Hyperbridge hopes not only to fix vulnerabilities but also to verify the basic security framework of its Interoperable State Machine Protocol (ISMP).
Success in the program may aid in rebuilding trust in Hyperbridge’s technology stack, driving its implementation in Polkadot and other interconnected chains. Researchers who wish to participate will find more information on the HackenProof page for Hyperbridge Protocol.
Also Read: Tempo Brings Coinbase’s $5B cbBTC to Its Layer 1 via Chainlink CCIP
