Hyperbridge Exploit Minted 1B Bridged Polkadot Tokens Worth $237K

A hacker exploited the Polkadot-based cross-chain protocol Hyperbridge, minting 1 billion bridged DOT tokens on Ethereum and ultimately converting a portion into about 108.2 ETH, worth roughly $237,000, after liquidity constraints whittled the proceeds. The incident rekindles questions about the security of bridge infrastructure that underpins cross-chain token transfers.

CertiK researchers traced the minting to a forged message that altered the admin of the Polkadot token contract on Ethereum, enabling the attacker to generate the bridged DOT. However, the liquidity dynamics in Ethereum’s bridged-DOT pool capped the eventual profit, leaving a small fraction of the minted value realized on the open market.

Security researchers pointed to a potential replay vulnerability tied to the protocol’s Merkle Mountain Range (MMR) proofs. Blocksec Falcon described the likely root cause as an MMR proof replay vulnerability stemming from missing proof-to-request binding, though Hyperbridge has not publicly confirmed a final root-cause assessment.

Hyperbridge halted operations to implement an upgrade while investigators assess the breach. Early commentary from contributors suggested the fault may have involved a malicious proof that fooled the protocol’s Merkle-tree verifier, underscoring how cross-chain verification mechanisms can be a weak link in bridge design.

The incident sits alongside other bridge-related disclosures in recent weeks. Aethir disclosed a separate bridge exploit earlier this year, with user losses kept under $90,000, a reminder that multiple bridges remain targets in the nascent cross-chain ecosystem.

Polkadot noted that the incident affected only DOT on Ethereum bridged through Hyperbridge; native DOT tokens and the broader Polkadot ecosystem were not impacted. The DOT price faced pressure but recovered from a dip to about $1.16, with quotes placing it above $1.19 at the time of writing per CoinGecko data.

Key takeaways

• Hyperbridge’s breach involved minting 1 billion bridged DOT on Ethereum, with on-chain data showing approximately 108.2 ETH (about $237,000) recovered after the swap due to liquidity constraints.
• CertiK attributes the mint to a forged message that changed the admin of the Polkadot token contract on Ethereum, enabling the attack.
• Blocksec Falcon’s analysis points to an MMR proof replay vulnerability from missing proof-to-request binding, though a definitive root cause has not been publicly confirmed by Hyperbridge.
• The incident caused no broader DOT disruption beyond the Ethereum-bridged DOT via Hyperbridge; native DOT and the wider Polkadot network remained unaffected.
• Separately, SubQuery Network reported a $130,000 breach due to missing access controls that allowed an attacker to redirect staking withdrawals, highlighting ongoing bridge- and data-indexing-security challenges in DeFi infrastructure.

Hyperbridge breach: what happened and what’s at stake for cross-chain bridges

The attacker executed a single, high-impact operation: minting 1 billion DOT tokens through Hyperbridge by exploiting a forged message that altered the admin rights on the Ethereum-facing Polkadot contract. CertiK’s analysis emphasizes that the forge enabled token creation within the bridged layer, triggering a liquidity-driven liquidation that ultimately yielded about 108.2 ETH—roughly $237,000 at current prices—after the token swap.

Hyperbridge promptly paused its bridge services and initiated an upgrade to address the vulnerability. While the initial assessment suggests a malicious proof manipulated the Merkle-tree verifier, the protocol’s team has not yet released a formal, final root-cause statement. The incident demonstrates how a single forged control instruction in a cross-chain contract can unlock large token minting if the verification mechanism underpins the bridge is compromised.

Root-cause debate and the resilience of proof-based bridges

Industry researchers have highlighted potential weaknesses in the way cross-chain proofs are bound to requests. Blocksec Falcon articulated that an MMR proof replay scenario—driven by missing proof-to-request binding—could enable duplicate or fraudulent validations within a bridge’s verification layer. While this framing aligns with known class of proof-related exploits, confirmation from Hyperbridge regarding the exact cause remains pending, leaving investors and builders awaiting a definitive account and remediation plan.

Beyond the technical specifics, the incident reinforces a broader narrative: even protocols marketed as “full node security” for cross-chain interoperability can face material exploits if the underlying proof systems and admin controls are not airtight. The market’s reaction—at least in the DOT-ETH bridged segment—has been cautious, with liquidity-sensitive outcomes shaping the realized profits for attackers and shaping perceptions of risk around bridge deployments.

Broader ecosystem impact: DOT, SubQuery, and the DeFi security landscape

In parallel to the Hyperbridge incident, the data-indexing protocol SubQuery Network reported a separate breach of roughly $130,000, attributed to insufficient access control that allowed an attacker to designate a malicious contract as the withdrawal target for staking rewards. Security auditors emphasized that legacy code and long-running access-control gaps can create windows for misappropriation even years after initial deployment.

Looking at the broader security landscape, industry trackers note a marked decline in DeFi exploit losses year over year. For Q1 2026, hackers stole about $168 million across 34 protocols, a sharp drop from Q1 2025’s $1.58 billion in total exploits, which included the record $1.4 billion Bybit hack. The figures underline a continuing improvement in some security metrics, even as individual incidents—such as Hyperbridge and SubQuery—illustrate persistent risk at the protocol level.

From Polkadot’s vantage point, the incident underscores a targeted risk around cross-chain bridges rather than a flaw in native assets. Polkadot noted that native DOT and the broader network remained unaffected by the Hyperbridge event, which is an important nuance for users and investors navigating bridged ecosystems. The price reaction has been mixed, with DOT briefly dipping before stabilizing above $1.19 as liquidity responded to the incident and subsequent updates.

What comes next for users, developers, and the market

For users and developers, the episode emphasizes the need for robust admin-control hardening, tighter proof-binding between bridge requests and verifications, and ongoing runtime monitoring of bridge state. The Hyperbridge team’s upgrade path will be crucial to restoring trust in a protocol that positions itself as a secure conduit for cross-chain assets. Practitioners should watch for a published root-cause statement, a detailed remediation plan, and any proofs or audits that quantify the improved security posture.

Regulators and standard-setters are also eyeing cross-chain security as bridging becomes an increasingly common primitive in crypto infrastructure. For traders and investors, the events reinforce a cautious stance toward bridged assets and a need to monitor liquidity conditions that can magnify or shrink the realized value of an exploit. As the ecosystem matures, more robust risk controls, formal verification of cross-chain proofs, and explicit incident disclosure practices will likely shape the next wave of security-focused improvements in bridge design.

Readers should watch for Hyperbridge’s ongoing upgrade trajectory, any formal root-cause disclosures, and correlated developments across other bridge projects as the space seeks to harden its defenses against increasingly sophisticated attack patterns.