Hyperbridge has revised the estimated losses from the April 13 Token Gateway exploit to about $2.5 million, roughly ten times higher than its initial figure of about $237,000. The team arrived at the larger total after reconciling attacker activity across four blockchains, accounting for a two-phase exploit sequence, and including related incentive pool losses.
According to Hyperbridge, the attacker first withdrew roughly 245 ETH from the Token Gateway. In a second phase the attacker was able to mint about 1 billion bridged DOT tokens without authorization and rapidly sell them into available DEX liquidity.
The root cause was a flaw in the Merkle Mountain Range proof verification logic used by Hyperbridge’s HandlerV1 path. Security researchers and post-incident analyses say the vulnerability let an attacker forge a cross-chain-style message, seize admin-level controls over the bridged DOT token contract, create large amounts of fake bridged DOT on Ethereum, and dump those tokens into limited liquidity pools.
Hyperbridge says the impact was limited to the Token Gateway and bridged DOT token contracts on Ethereum, Base, BNB Chain, and Arbitrum. Native DOT on Polkadot, plus the Intent Gateway and products built on it, were not affected. Polkadot also confirmed the issue was restricted to DOT bridged to Ethereum via Hyperbridge and did not affect native DOT across the Polkadot ecosystem.
A large portion of the exploited funds has been traced on-chain to Binance. Hyperbridge is working with Binance’s compliance team and law enforcement to pursue freezing and recovery efforts. If those actions do not fully restore user losses, Hyperbridge says it plans to allocate BRIDGE tokens to cover any remaining shortfall, but it will delay public details of that plan to avoid compromising recovery efforts or token value.
All Token Gateway bridging remains paused while Hyperbridge implements a patch, commissions an independent security audit, and adds extra safeguards. Operations will only resume once the vulnerability is fixed and the audit report is made public.
This report was edited for clarity and accuracy.