Cross-Chain Bridge Attack Targets Hyperbridge Gateway on Ethereum
An unknown attacker exploited a critical flaw in Hyperbridge’s Ethereum gateway contract on April 13, 2026. The exploit allowed the attacker to mint one billion bridged Polkadot (DOT) tokens on Ethereum. Despite a nominal value of roughly $1.19 billion, the attacker converted only around $237,000 into real funds.
Polkadot faces sharp market reaction after a $1B bridged token exploit on Ethereum. [coinpedia]
Hyperbridge is a cross-chain interoperability protocol that connects assets across different blockchains. The exploit hit its EthereumHost gateway contract, not the Polkadot relay chain itself. Blockchain security firm CertiK flagged the attack on-chain shortly after it occurred.
The incident stands out because of the enormous gap between what the attacker theoretically controlled and what they actually walked away with. Security researchers attribute that gap almost entirely to shallow liquidity inside the affected Ethereum pool.
Market Reacts Instantly to Exploit News
Early market reaction reflected panic-driven selling as reports of the exploit spread. Crypto commentator Ash Crypto noted that Polkadot fell 5% within minutes, wiping out nearly $20 million in market capitalization.
https://x.com/AshCrypto/status/2043564957166657596
The rapid decline triggered approximately $728,000 in long liquidations, as traders rushed to exit positions amid fears of a large-scale breach. The sell-off followed claims that an attacker had minted over one billion DOT tokens and dumped them in a single transaction, extracting 108.2 ETH (about $237,000).
How a Forged Message Gave the Attacker Admin Control
The attacker submitted a forged message through Hyperbridge’s dispatchIncoming function. That message was then routed to TokenGateway.onAccept. The system should have checked the message against a valid cross-chain state commitment from Polkadot.
The commitment value stored during that check, however, contained all zeros. This indicates that the proof validation step was either absent or bypassed for that specific call path. The flaw gave the attacker a direct route to take control of the bridged token contract.
Once through, the forged message executed changeAdmin on the bridged DOT contract. This transferred admin and minter privileges directly to the attacker’s wallet address, a standard but severe outcome when bridge validation fails.
Replay Vulnerability in Proof Validation Function Enabled the Breach
CertiK’s post-mortem identified a replay vulnerability in the Merkle Mountain Range’s calculateroot function as the technical root cause. This flaw meant that state proofs were not properly bound to individual requests. Attackers could therefore reuse old state commitments to satisfy validation checks without providing genuine proof.
Downstream, the tokengateway.handlechangeadmin function failed to enforce strict input checks. This allowed the attacker to supply arbitrary request data without any rejection. The combination of both weaknesses made the full attack possible in a single sequence of transactions.
Attacker Mints One Billion DOT Tokens in a Single On-Chain Transaction
With admin control secured, the attacker minted one billion bridged DOT tokens in one transaction. The total supply of bridged DOT on Ethereum at the time sat at roughly 356,000 tokens. The attacker’s mint exceeded that figure by approximately 2,805 times.
The attacker then routed those tokens through Odos Router V3 into a Uniswap V4 DOT-ETH liquidity pool. Multiple swaps at slightly varying prices extracted roughly 108.2 ETH from the pool. At prevailing market rates, that translated to approximately $237,000.
The scale of the mint alone did not determine the final outcome. The depth of available liquidity proved to be the decisive factor limiting how much the attacker could actually extract.
Thin Liquidity Caps the Profit — a Structural Accident, Not a Defense
The bridged DOT pool on Ethereum held limited depth. When the attacker dumped one billion tokens into it, the price of bridged DOT collapsed almost immediately. Selling pressure overwhelmed available buyers, so the attacker received a fraction of a cent per token.
Limited liquidity in the DOT-ETH pool prevented the attacker from converting the full minted value into real funds. [blocktempo]
This outcome was not a deliberate defense mechanism, it was an accident of market structure. Security analysts noted that the same vulnerability on a deeper pool, or applied to a higher-value bridged asset, would have caused far larger losses for users and liquidity providers.
The attack makes clear that shallow liquidity can, under specific conditions, contain the damage from a minting exploit. It does not reduce the severity of the underlying code vulnerability itself.
A Second Exploit Drains $12,000 in MANTA and CERE Tokens
Security researchers identified a second, smaller exploit using the same Hyperbridge pipeline earlier that same day. A different attacker address abused the TokenGateway.onAccept() path to drain approximately $12,000 in MANTA and CERE tokens from the protocol.
Both incidents share the same root cause: insufficient state-proof verification inside Hyperbridge’s ISMP message flow. The two attacks occurring within hours of each other suggest the vulnerability was either found independently by multiple actors or shared within a small group.
Attacker’s Wallet Shows 33 Days of On-Chain Preparation
On-chain investigators traced the attacker’s funding to Railgun and Synapse Bridge — tools commonly used to obscure transaction origins. The attacker’s funding wallet operated for approximately 33 days and completed more than 50 transactions before triggering the exploit.
After completing the swaps, the attacker transferred 108.2 ETH back to their externally owned account. That wallet remains under active monitoring by blockchain analytics firms, including Arkham Intelligence, which published a public on-chain tracker shortly after the attack.
DOT Price Drops 6% on Panic — Native Polkadot Network Remains Secure
The price of DOT fell from approximately $1.23 to $1.16 after initial news reports surfaced, a drop of nearly 6% at its lowest point. The token partially recovered to around $1.19 as market participants absorbed clarifications from security researchers.
The sell-off did not reflect any change in Polkadot’s core fundamentals. Traders reacted to headlines referencing “one billion DOT tokens minted” without initially distinguishing between native DOT on the Polkadot relay chain and the bridged version on Ethereum. Only the wrapped, bridged representation was affected.
Polkadot’s relay chain, its native token, and its on-chain governance remained fully operational throughout the incident. The breach stayed confined entirely to the Hyperbridge gateway contract on Ethereum.
Also Read: How Telegram Plans to Turn Crypto Into the World’s Payment Rails
Hyperbridge Stays Silent as Security Community Calls for Disclosure
As of publication, neither Hyperbridge nor its developer Polytope Labs had issued any public statement on the exploit. The team had not confirmed whether other bridged token contracts using the same gateway carry the same vulnerability.
The absence of an official response or any pause announcement drew criticism from security professionals. Confirming whether additional contracts remain at risk is widely regarded as a minimum disclosure standard following an exploit of this scale.
The attack adds to an already costly year for cross-chain bridges. Earlier in 2026, a separate incident drained $270 million from Drift Protocol on Solana. Both cases reinforce a consistent pattern: bridges hold admin-level control over destination-chain token contracts, and a single validation failure can hand an attacker unlimited minting authority.
FAQS
Q1: What caused the Hyperbridge exploit?
A: The exploit was caused by a failure in state-proof validation within Hyperbridge’s Ethereum gateway, allowing a forged cross-chain message to bypass security checks.
Q2: Was the Polkadot network itself compromised?
A: No, the native Polkadot network remained secure. The exploit only affected bridged DOT tokens on Ethereum.
Q3: How did the attacker mint one billion DOT tokens?
A: The attacker gained admin control of the bridged token contract by exploiting a validation flaw, which allowed them to mint tokens freely.
Q4: Why did the attacker only steal about $237,000 despite minting $1 billion worth of tokens?
A: The attacker was limited by low liquidity in the DOT-ETH pool, which caused the token price to collapse during the sell-off.
Q5: Can this type of exploit happen again?
A: Yes, similar vulnerabilities can occur in cross-chain bridges if proof verification and validation mechanisms are not properly secured.
Disclaimer:
This article is published by Crafmin for informational purposes only and is based on publicly available data regarding Hyperbridge and its developer Polytope Labs. While efforts have been made to ensure accuracy, Crafmin does not independently verify all technical details or on-chain findings and makes no representations or warranties regarding completeness or reliability. This content does not constitute financial, investment, or security advice, and readers should conduct their own research before making any decisions.
