Hyperbridge said the April 13 exploit of its Token Gateway was about 10 times worse than initially reported, revising its estimate of realized losses to roughly $2.5 million after first putting the figure near $237,000.
The team said the higher total came after reconciling attacker activity across four chains, accounting for the exploit’s two-phase structure, and including losses tied to related incentive pools.
According to Hyperbridge, the attacker first extracted roughly 245 ETH from Token Gateway, then moved to a second phase in which about 1 billion bridged DOT tokens were minted without authorization and dumped into available decentralized exchange liquidity.
The incident exploited a flaw in the Merkle Mountain Range (MMR) proof verification logic used by Hyperbridge’s HandlerV1 path. Security researchers and incident writeups said the vulnerability allowed an attacker to forge a cross-chain style message, gain control over admin functions of the bridged DOT token contract, mint large amounts of fake bridged DOT on Ethereum, and sell into limited liquidity.
Hyperbridge said the damage was isolated to Token Gateway and affected bridged token contracts on Ethereum, Base, BNB Chain, and Arbitrum. Native DOT on Polkadot, as well as the Intent Gateway and related products built on top of it, were not affected.
Polkadot separately stated the issue was limited to DOT bridged to Ethereum through Hyperbridge and did not impact native DOT within the broader Polkadot ecosystem.
A significant portion of the exploited funds has been traced on-chain to Binance. Hyperbridge said it is working with Binance’s compliance team and law enforcement on freezing and recovery efforts. If those efforts do not fully restore user funds, Hyperbridge said it plans to allocate BRIDGE tokens to cover residual losses, but will wait to detail that mechanism so as not to undermine recovery efforts or token value.
All bridging through Token Gateway remains paused while the team finalizes a patch, secures an independent audit, and implements added safeguards. Hyperbridge said operations will not resume until the underlying vulnerability is fully addressed and the audit report is made public.
Disclosure: This article was edited by Estefano Gomez. For more information on how we create and review content, see our Editorial Policy: https://cryptobriefing.com/editorial-policy/.