A real exploit hit Hyperbridge’s Ethereum gateway contract on April 13, 2026 around 3:55 a.m. UTC. An attacker minted roughly 1 billion fake bridged Polkadot (DOT) tokens on Ethereum—worth a theoretical ~$1.17–1.19 billion at prevailing prices—but only extracted about $237,000–250,000 in ETH roughly 108.2 ETH due to extremely thin liquidity in the relevant DEX pools primarily Uniswap V4.
Hyperbridge is a cross-chain interoperability protocol built on Polkadot that uses its Interoperability State Machine Protocol (ISMP) for bridging assets like DOT to Ethereum and other chains. The vulnerability was isolated to the Ethereum. Host Token Gateway contract on the Ethereum side:
The attacker forged a cross-chain message that bypassed proper state proof validation specifically, a Merkle Mountain Range (MMR) proof replay vulnerability or missing input validation in the VerifyProof() function, e.g., not enforcing leaf_index < leafCount properly.
This allowed them to gain unauthorized admin control over the bridged DOT token contract on Ethereum. They then minted the massive supply of unbacked tokens and dumped them into low-liquidity pools, crashing the price of the bridged asset but limiting the actual ETH extracted. MEV bots and others replicated similar actions on other Hyperbridge-wrapped assets, but total realized losses stayed around $250K.
Register for Tekedia Mini-MBA edition 20 (June 8 – Sept 5, 2026).
Register for Tekedia AI in Business Masterclass.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab.
Hyperbridge quickly paused all bridging operations and advised partners to halt related transactions while investigating. Limited to bridged DOT on Ethereum: Native DOT on the Polkadot relay chain, parachains, staking, governance, and DOT bridged via other protocols remain completely unaffected and secure. Polkadot and the broader ecosystem confirmed this explicitly.
Bridged DOT on Ethereum saw its price collapse near 100% in the thin pools. Native DOT price dipped ~5–10% amid sentiment and liquidations but has been trading around $1.13–1.20 recently. No systemic risk to Polkadot itself. The bridge is paused. Investigations involve firms like CertiK which first flagged it, PeckShield, BlockSec Phalcon, etc. Fixes are underway for the validation flaw.
Hyperbridge had posted an April Fools’ joke about two weeks earlier claiming they were hacked and jokingly positioning themselves as unhackable. The real exploit followed shortly after, which added some ironic commentary in the community. This incident highlights a classic bridge risk: cross-chain message verification and admin privileges on destination-chain token contracts can create high-impact single points of failure if proofs aren’t rigorously validated.
Attacker minted 1 billion fake bridged DOT theoretical value ~$1.17–1.19B on Ethereum but extracted only ~108.2 ETH ($237,000–250K) due to extremely thin liquidity in Uniswap V4 and related pools. Similar smaller exploits occurred on other Hyperbridge-wrapped assets but total realized damage stayed limited.
Bridged DOT on Ethereum
The fake tokens crashed the price of the bridged representation near 100% in affected pools. Only Hyperbridge-bridged DOT was impacted — native DOT, Polkadot relay chain, parachains, staking, governance, and DOT bridged via other protocols remain fully secure and unaffected.
Native DOT price reaction: Temporary dip of ~5–6% briefly approaching or testing lows near $1.13–1.17, with ~$20M in market cap wiped and over $700K in long liquidations. Sentiment-driven; DOT has since stabilized around recent levels. Hyperbridge immediately paused all bridging operations while the team investigates and prepares fixes.
Partners were advised to halt related transactions. No timeline for resumption yet. Broader effects highlights ongoing bridge security risks; proof validation and admin control flaws. No systemic risk to Polkadot ecosystem. Realized damage was contained by liquidity constraints, native Polkadot assets are safe, but the incident caused short-term price volatility and a full bridge pause.
Bridges have historically been one of the weakest links in crypto interoperability. If you’re holding bridged DOT on Ethereum via Hyperbridge, treat it cautiously until the pause lifts and a full post-mortem and fix is released. Native Polkadot assets are not at risk here.