On April 1, Hyperbridge published what looked like a serious breach announcement. The post claimed $37 million lost across Ethereum, Arbitrum, and Base, blamed the Lazarus Group, and even mentioned “unsupervised Claude agents.” It pulled 139,200 views. It was a joke.
Two days later on April 2, Hyperbridge responded to the backlash by calling the stunt the best free marketing it ever had. The post ended with a direct claim:
“While you’re still mad, we’re still un-hackable.”
Twelve days later, a real attacker drained roughly $237,000 from the protocol.
The Exploit Hyperbridge Did Not See Coming
At 03:55 UTC on April 13, an attacker hit Hyperbridge’s HandlerV1 gateway contract on Ethereum. PeckShieldAlert was first to flag it on X, identifying a 1 billion DOT mint and dump hitting both Ethereum and Polkadot simultaneously.
officer_secret posted on X within minutes:
“Admin changed to the attacker’s contract, 1 BILLION DOT minted and immediately dumped. Price went from $1.22 to almost zero. And it looks like the bridge is just allowing infinite minting now.”
The on-chain transaction record shows the attacker’s wallet opening at 2.63 ETH and closing at 110.84 ETH after routing through Odos Router and the liquidity pool.
The $237K take was limited by one thing: shallow liquidity. The bridged DOT pool on Ethereum simply could not absorb 1 billion tokens at once. On a deeper pool, the number would have been far larger.
How a Recycled Proof Unlocked Everything
CertiKAlert detailed the mechanics on X:
“The attacker slipped through a forged message to change the admin of Polkadot token contract on Ethereum and profited ~$237K from minting and selling 1B tokens.”
The flaw sat inside the VerifyProof() function. Phalcon_xyz explained on X that HandlerV1’s replay protection only checks whether a request commitment has been used before. It does not bind the submitted request payload to the validated proof at all. That disconnect let the attacker take any old legitimate proof and attach a completely new malicious request to it.
A follow-up from Phalcon_xyz confirmed the deeper issue:
“The verifier does not enforce leaf_index < leafCount. If an attacker submits leafCount = 1 and leaf_index = 1, CalculateRoot() in the MMR path never incorporates the request commitment into root computation.”
Proof and message fully decoupled. Any request content passed verification.
CertiKAlert’s thread breakdown confirmed the attacker copied a proof value from a previous legitimate transaction, fed it into a path where MerkleMountainRange ran with a leaf count of one, and the root calculation skipped binding entirely.
CertiKAlert’s second post noted TokenGateway’s handleChangeAdmin() function checked the request source against a stored address. The attacker read the stored address and fed it back in directly. The third post confirmed execution code in the request body passed Handler to Host to Gateway with nothing checking it. Admin of the DOT contract flipped.
The full CertiK transaction trace is publicly available.
Polkadot and Hyperbridge Both Respond
Seun Lanlege, a core contributor at Hyperbridge, confirmed the team was already investigating. On X, seunlanlege wrote:
“Our initial diagnosis is the attacker constructed a sophisticated malicious proof to fool our merkle tree verifier. Damage is so far limited to just the DOT token. Other applications unaffected.”
Polkadot posted on X to confirm the core chain was not touched:
“The exploit only affects DOT on Ethereum that is bridged through Hyperbridge and does not affect DOT in the Polkadot ecosystem, or DOT bridged through other bridges. Polkadot, its parachains, and native DOT remain secure and unaffected.”
Hyperbridge confirmed the pause on X:
“We’ve paused all bridging and advised partners to halt related transactions while the team contains the issue.”
Phalcon Security identified seven attack transactions in total via PhalconExplorer. The investigation is open. No recovery path or patch timeline has been announced publicly.
What THORChain Called Out
THORChain posted on X with a direct take:
“The attacker minted 1 billion fake $DOT on Ethereum out of thin air, dumped it straight into the liquidity pool, and drained ~240K $ETH in a single transaction. Polkadot didn’t fail here, the infrastructure around it did.”
THORChain drew the line between native asset movement and third-party wrapped token contracts, calling the latter the attack surface that keeps getting hit. The Hyperbridge DOT exploit adds to a 2026 bridge incident list that already includes IoTeX’s ioTube losing an estimated $4.3 million in February after a private key compromise. Chainalysis data puts bridge failures at more than 60% of all crypto hacks by count, with cumulative losses above $2 billion.
Hyperbridge called itself a protocol that removes trust from cross-chain messaging. On April 13, a forged proof proved the verifier could still be fooled. The April 1 joke aged poorly. The April 2 boast aged worse.
