In short
- Hyperbridge’s exploit was about 10x worse than initially feared, with estimated losses now round $2.5 million.
- The protocol initially reported that there have been simply $237,000 in funds exploited earlier this week.
- The majority of stolen funds have been traced, and the agency is working with regulation enforcement within the hopes of freezing and recovering property.
An exploit that led to the minting of 1 billion wrapped Polkadot (DOT) tokens earlier this week is even worse than initially reported, in response to the staff behind Hyperbridge.
What was initially thought to quantity to $237,000 value of token losses linked to the Polkadot-Ethereum bridge is definitely nearer to $2.5 million—a greater than 10x improve from the preliminary report.
“An attacker exploited a vulnerability within the Merkle Mountain Vary (MMR) proof verification logic, permitting the wrongdoer to mint property and drain escrowed property on Token Gateway,” the staff posted in a Thursday postmortem.
The attacker extracted roughly 245 ETH from a associated TokenGateway contract.
About an hour later, a cast cross-chain message bypassed MMR proof verification, permitting the attacker to mint 1 billion bridged DOT and dump them into skinny liquidity.
— Hyperbridge (@hyperbridge) April 16, 2026
“Our preliminary public estimate of the realized loss was roughly $237,000, primarily based on the instantly observable sell-off of bridged DOT on Ethereum,” they added. “That determine didn’t seize the total image, we later realized.”
Along with the $237,000 in observable losses, a wise contract was exploited for 245 ETH or round $561,000 hours earlier than the malicious DOT token mintings. Plus, three linked blockchains—Base, Arbitrum, and BNB Chain—had been additionally impacted, contradicting the staff’s authentic report that solely wrapped DOT on Ethereum was affected.
“Following reconciliation of attacker exercise throughout every of the 4 chains, the two-phase nature of the assault, and losses from the related incentive swimming pools, the revised complete realized loss is roughly $2.5 million, denominated in ETH and DOT on the time of the exploit,” it wrote.
The stolen funds have been traced to a deposit handle on Binance, and the agency has engaged the centralized trade’s compliance staff and related regulation enforcement in an try and freeze and get well the stolen property—but it surely doesn’t count on a decision quickly.
“We’re pursuing each obtainable channel, however the real looking timeline for significant restoration in a case of this sort is measured in months, and might lengthen as much as a 12 months,” it added.
Whereas its aim is to make all affected customers entire, repaying funds which have been compromised, the protocol indicated that it’s “dedicated to a structured BRIDGE token allocation to cowl the residual loss,” ought to it’s unable to take action.
However BRIDGE, its native protocol token, maintains extraordinarily low volumes, final buying and selling $1,800 over 24 hours when it modified fingers for round $0.006 on March 29, in response to information from CoinGecko. At that value level, the token had a market cap of round $858,000, about one-third of the full losses from its exploit.
Bridging performance on the 4 affected blockchains stays paused, and can solely resume after a patch is deployed and audited.
“This doesn’t change our conviction that cross-chain interoperability is barely safe by cryptographic proofs,” the protocol staff wrote.
“What this exploit has made clear, expensively, is that verification logic wants extra frequent audits and adversarial testing at each layer of the stack,” it added. “That’s the usual Token Gateway will function below going ahead.”
Each day Debrief E-newsletter
Begin day-after-day with the highest information tales proper now, plus authentic options, a podcast, movies and extra.