An attacker hit the Hyperbridge Ethereum gateway contract on April 13, 2026, forging a cross-chain message to seize minting rights for Polkadot’s bridged ERC-20 token, producing 1 billion counterfeit tokens and selling them for roughly $237,000 before on-chain monitors raised the alarm.
The breach, confirmed within the hour by blockchain security firm CertiK, which flagged the exploit targeting the Hyperbridge gateway contract, marks a significant test for a protocol that had staked its reputation on eliminating the committee-based trust models behind previous bridge failures.
How the Attack Moved Through the Gateway
The attacker deployed a master contract and a helper contract in a single transaction. The helper then submitted forged state proofs to the vulnerable HandlerV1 contract, bypassing verification checks. This allowed a malicious “ChangeAssetAdmin” action to be executed via the TokenGateway.onAccept() path, transferring admin and minter privileges of the DOT token contract to the exploiter.
With those privileges in hand, the attacker minted 1 billion DOT tokens, approximately 2,805 times the reported total supply of around 356,000 tokens. The entire position was liquidated in a single transaction. On-chain tracker Lookonchain noted that after this, the attacker dumped the entire supply, netting 108.2 ETH, approximately $237,000.
The Interoperable State Machine Protocol (ISMP), which Hyperbridge uses to relay verified messages between Polkadot and Ethereum, was the entry point. The vulnerability lay not in the consensus logic itself but in how the gateway contract accepted and processed incoming admin commands.
What the Exploit Left Intact, and What It Did Not
The attack did not compromise Polkadot’s native relay chain or the DOT token on Polkadot itself. It targeted only the bridged, or wrapped, representation of DOT. Holders of native DOT on Polkadot were unaffected.
The ERC-20 representation, however, took a visible hit. DOT token price dropped by roughly 4.8% to $1.16 following the exploit, according to CoinMarketCap data. South Korean exchanges Upbit and Bithumb suspended Polkadot transactions amid the security concerns.
A Protocol Tested Against Its Own Claims
Hyperbridge, developed by Polytope Labs, a collective founded by core developers of Ethereum, Polkadot, and IBC, had positioned itself as an alternative to multisig bridge models. Its founder, Seun Lanlege, previously argued that cryptographic verification removes the human failure point that has cost the broader ecosystem billions. The protocol relies on zero-knowledge proofs so Ethereum-compatible chains can verify Polkadot’s consensus without high computational costs, with no committee managing funds.
The exploit did not break the consensus proof model. It bypassed the gateway contract’s input validation, a different layer of the stack. That distinction matters for assessing what needs to be patched, though it will not blunt the reputational impact.
As of the time of publication, no official statement from Hyperbridge or Polytope Labs had been widely circulated regarding mitigations, pauses, or fund recovery efforts.
The protocol had processed over $300 million by the end of 2025 and had undergone security audits by SR Labs, the same firm that audits the Polkadot chain. A bug bounty program worth up to $250,000 was also in place across Immunefi, Cantina, and Hacken.
