Hyperbridge Exploit Mints 1B DOT on Ethereum, Nets Just $237K

An attacker exploited Hyperbridge's cross-chain gateway on April 13 to mint 1 billion bridged Polkadot tokens on Ethereum, then dumped them for approximately $237,000 in ETH. Shallow liquidity in the bridged DOT pool capped the profit at a fraction of the tokens' $1.1 billion face value.

Get exploits, on-chain data, and DeFi analysis before the crowd - subscribe to Web Snack's daily crypto newsletter.

Context

Hyperbridge, built by Polytope Labs, is a cross-chain interoperability protocol that connects Polkadot to Ethereum using the Interoperable State Machine Protocol (ISMP). The protocol markets itself as a trust-minimized bridge secured by cryptographic proofs from the Polkadot relay chain rather than multisig committees.

Cross-chain bridges have been the most exploited infrastructure category in crypto for three years running. In Q1 2026 alone, hackers stole $168.6 million from 34 DeFi protocols, according to DefiLlama - down 89% from the $1.58 billion lost in Q1 2025, when the $1.4 billion Bybit exploit skewed the numbers.

The Polkadot community had just implemented a hard supply cap of 2.1 billion DOT through governance in March 2026, six weeks before Sunday's exploit. The cap was designed to reinforce DOT's monetary credibility after the token secured its first spot ETF listing on Nasdaq.

Details

The attacker forged a cross-chain state proof and submitted it to Hyperbridge's HandlerV1 contract on Ethereum. The contract's verification function accepted the forged proof as valid, allowing a fake governance message to execute a ChangeAssetAdmin action on the bridged DOT token contract. That gave the attacker full admin and minter rights.

With minting control in hand, the attacker created 1 billion DOT on Ethereum - roughly 2,800 times the normal bridged supply of about 356,000 tokens. They routed the fake DOT through the Odos Router and Uniswap v4 pools, extracting 108.2 ETH before the bridged token's price collapsed from $1.22 to near zero.

"An exploit affected one of our Ethereum contracts. We've paused all bridging and advised partners to halt related transactions while the team contains the issue" - Hyperbridge Team, Official Statement on X

BlockSec Falcon identified the root cause as a Merkle Mountain Range proof replay vulnerability. CertiK confirmed the attack vector separately, noting the attacker reused proof data from a previous legitimate transaction to bypass validation. Investigators found the exploiter's wallet was funded through Railgun and Synapse Bridge and had been active for 33 days before the attack.

Impact

Native DOT on Polkadot's relay chain was not affected. The exploit hit only the bridged representation on Ethereum. Still, the native token dropped roughly 6% from $1.23 to $1.16 on panic selling before recovering to $1.19 by Monday morning.

South Korean exchanges Upbit and Bithumb suspended DOT deposits and withdrawals within hours. Both exchanges, along with Coinone, added Polkadot to their delisting watchlists - a standard precaution under DAXA guidelines when a security incident affects an asset's infrastructure.

"Targeting is rarely purely random. In many cases, attackers are deliberate in how they assess infrastructure, code, access controls and even human behavior" - Nick Percoco, Chief Security Officer at Kraken

A second, smaller exploit using the same Hyperbridge pipeline drained about $12,000 in MANTA and CERE tokens earlier on Sunday. The pattern suggests the vulnerability was known to at least two separate actors.

Next Steps

Hyperbridge has paused all bridging operations and is working with security partners to trace and recover funds. The team has not provided a timeline for resuming services. Users have been warned not to interact with bridged or wrapped DOT on Ethereum until a new secure contract is deployed.

The protocol's Solidity-side proof verification will need a full audit before any restart. BlockSec's analysis points to missing proof-to-request binding as the core fix needed - a patch that would prevent replayed proofs from being accepted as valid for new requests.

The broader question is whether Hyperbridge's trust-minimized design holds up after an implementation flaw this severe. The protocol's cryptographic model was not broken. The bug sat in the Solidity contract that checked the proofs. That distinction will matter in how the Polkadot community responds, particularly around compensation for affected liquidity providers.

Stay ahead of DeFi exploits and bridge risks - join Web Snack for daily crypto briefings.

P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.