Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 269Bridge Exploit

Hyperbridge MMR Proof Bypass

1B bridged DOT minted on Hyperbridge after a missing bounds check in VerifyProof let an attacker forge MMR proofs; realised loss ~$2.5M.

Date
Victim
Hyperbridge
Chain(s)
EthereumBaseBNB ChainArbitrum
Status
Funds Stolen

On April 13, 2026, the Polkadot-based cross-chain bridge Hyperbridge was exploited via a missing bounds check in the Merkle Mountain Range (MMR) proof verification logic of its 2-year-old Handler V1 contract. The attacker minted approximately 1 billion bridged DOT tokens on EVM networks (Ethereum, Base, BNB Chain, Arbitrum) and dumped them into available liquidity. Initial losses were reported at $237,000 — later revised to approximately $2.5 million when the broader impact on incentive pools and dependent protocols became clear.

What happened

Hyperbridge connects Polkadot's parachain ecosystem to EVM networks using Merkle Mountain Range (MMR) cryptographic proofs. The bridge's EVM-side handler verifies these proofs against committed roots from the Polkadot relay chain to authorise withdrawals and token minting.

The vulnerability was a missing bounds check in the VerifyProof() function of the Handler V1 contract — code that had been written over two years before the exploit. Without the bounds check, an attacker could construct an MMR proof that the handler would accept as valid even though the proof did not correspond to any legitimate commitment.

The attack unfolded in two phases:

  1. Initial extraction: an attacker drained approximately 245 ETH from Hyperbridge's TokenGateway contract via the proof-bypass vulnerability.
  2. Main event (~1 hour later): the attacker minted approximately 1 billion bridged DOT tokens across the four supported EVM networks and immediately dumped them into available DEX liquidity.

The realised cash extraction was limited by DEX liquidity depth — most DEXs holding bridged DOT had limited capacity to absorb 1 billion incoming tokens at meaningful prices. The bridged DOT price collapsed on every EVM where Hyperbridge had liquidity, leaving most of the freshly-minted tokens effectively worthless.

The loss-estimate revision from $237K to $2.5M reflected:

  • The realised DEX extraction (~$1M+ in real assets).
  • Impacts on incentive pools across multiple chains that depended on bridged DOT.
  • Cascading losses at integrated protocols that held bridged DOT as collateral or in liquidity positions.

Aftermath

  • Hyperbridge opened a 14-day return window for the attacker, with the promise that wallet addresses holding unreturned funds after the deadline would be referred to law enforcement.
  • Significant portions of the proceeds were traced to Binance — Hyperbridge engaged Binance's compliance team for asset freezing.
  • The vulnerability was patched in subsequent Handler contract deployments with explicit bounds checks.
  • Hyperbridge subsequently announced a $50,000 bug bounty program for future critical vulnerabilities — a relatively small payment that drew industry criticism as inadequate for the scale of the protocol's attack surface.

Why it matters

The Hyperbridge incident illustrates two converging 2026 patterns:

  1. Legacy contract code becomes increasingly dangerous as it ages — the 2-year-old Handler V1 was written in an era when MMR proof verification was less well-understood as an attack surface, and the missing bounds check survived multiple audits because cross-chain proof verification was treated as exotic territory by reviewers focused on EVM-native primitives.

  2. The gap between "minted supply" and "extracted value" continues to define how bridge exploits cash out at smaller chain ecosystems. The attacker minted $1 billion in nominal DOT representation but only extracted ~$2.5M in realised value because the liquidity venues couldn't absorb the supply at meaningful prices.

The defensive responses being adopted across the post-KelpDAO bridge ecosystem include:

  • Mint controls — hard caps on cross-chain token issuance per epoch.
  • Liquidity limits — protocols restricting how much bridged supply they'll accept as collateral.
  • Tighter incident response coordination with major CEXs and DEX aggregators for fast freezing.

The $50K bug bounty has been characterised by security researchers as far below the going rate for critical bridge vulnerabilities. The structural lesson, increasingly contested, is that bridge bounties need to be competitive with the upside attackers can capture — and at modern bridge TVL levels, that's typically $250K-$1M+ per critical, not $50K.

Sources & on-chain evidence

  1. [01]cryptotimes.iohttps://www.cryptotimes.io/2026/04/16/hyperbridge-raises-exploit-loss-estimate-to-2-5m-from-237k/
  2. [02]blog.hyperbridge.networkhttps://blog.hyperbridge.network/recovery-and-next-steps/
  3. [03]theblock.cohttps://www.theblock.co/post/397773/polkadot-hyperbridge-exploit-losses-2-5-million-ten-times-initial-estimate

Related filings