On April 13, 2026, an attacker exploited a vulnerability in Hyperbridge's Ethereum gateway contract, minting 1 billion bridged DOT tokens, 2,805 times the legitimate supply, and extracting approximately $237,000 in ETH. The exploit affected only Hyperbridge's bridged DOT on Ethereum. Polkadot's relay chain, native DOT, parachains and DOT bridged through other protocols remain completely unaffected.

Polkadot's team confirmed the incident was isolated to Hyperbridge's Ethereum-side infrastructure, and Hyperbridge paused all bridging operations shortly after detection. 

The following is based on preliminary analysis and is correct as of the time of writing. Details may be updated as further information becomes available.

Technical analysis

The attacker deployed two contracts on Ethereum to execute the exploit:

• The first, 0x518ab393c3f42613d010b54a9dcbe211e3d48f26, was a minimal proxy contract created within the exploit transaction itself and served as the direct target of the exploit transaction.

• The second, 0x31a165a956842aB783098641dB25C7a9067ca9AB, was pre-deployed days earlier and contained the core mint and swap logic that would handle the actual token creation and liquidation.

The root cause was a missing input validation in the VerifyProof() function of Hyperbridge's HandlerV1 contract at 0x6C84eDd2A018b1fe2Fc93a56066B5C60dA4E6D64. The verifier did not enforce that leaf_index < leafCount. By submitting leafCount = 1 and leaf_index = 1, the attacker caused CalculateRoot() in the Merkle Mountain Range (MMR) path to skip incorporating the request commitment into the root computation. This fully decoupled the proof from the message it was meant to authenticate, enabling the attacker to forge a seemingly valid cross-chain message against a historical overlayRoot. This triggered a ChangeAssetAdmin call on the TokenGateway contract at 0xFd413e3AFe560182C4471F4d143A96d3e259B6dE, granting admin and minter rights on the bridged DOT token contract (0x8d010bf9c26881788b4e6bf5fd1bdc358c8f90b8) to the attacker's pre-deployed contract.

With minting authority secured, the attacker minted 1,000,000,000 bridged DOT from the zero address, roughly 2,805 times the legitimate circulating supply of approximately 356,000 tokens. The $237,000 extraction was constrained only by available pool liquidity, not by any limit on the vulnerability itself. The minted tokens were routed through Odos Router V3 and Uniswap V4 Pool Manager, yielding 108.2 ETH (approximately $237,000) after a small Odos routing fee. The entire operation executed in a single transaction at block 24,868,295, costing roughly $0.74 in gas.

A second, smaller exploit using the same vulnerability also drained approximately $12,000 in MANTA and CERE tokens earlier the same day, indicating the attacker tested the approach on lower-value targets before executing the primary exploit.

Impact assessment

The financial impact was concentrated on Hyperbridge's bridged DOT liquidity on Ethereum. Approximately $237,000 in ETH was extracted through the token swap. The bridged DOT price in the affected pool crashed from roughly $1.19 to near zero as the attacker dumped 1 billion tokens into liquidity pools designed for a circulating supply of approximately 356,000.

The broader market impact was limited but visible. Native DOT on centralized exchanges dipped approximately 6% in the hours following the exploit. Both Upbit and Bithumb temporarily suspended DOT deposits and withdrawals as a precaution while the scope of the incident was being assessed.

Polkadot's total supply and consensus mechanism were entirely untouched. The relay chain continued operating normally, and DOT bridged through other protocols was unaffected. This distinction is important: the exploit was specific to Hyperbridge's Ethereum gateway implementation, not to Polkadot's core infrastructure or its relay chain consensus.

Hyperbridge paused all bridging operations immediately after the exploit was identified. Both the Polkadot and Hyperbridge teams issued statements confirming the scope and containment of the incident.

Cross-chain fund movement patterns

The attacker's preparation for this exploit followed a pattern familiar to cross-chain risk analysts. The wallet 0xC513E4f5D7a93A1Dd5B7C4D9f6cC2F52d2F1F8E7 was initially funded through Railgun, a privacy protocol, and Synapse Bridge. The attacker then operated for approximately 33 days with over 50 transactions before executing the exploit.

This combination of privacy protocol funding, cross-chain bridging and extended pre-positioning is a pattern that cross-chain risk screening is specifically designed to detect. When an address receives funds through privacy-enhancing infrastructure, moves assets across chains and then engages in sustained but low-profile activity before a high-value action, the behavioral signals accumulate over time. The 33-day staging window, combined with over 50 preparatory transactions, represents a significant operational footprint that distributes risk indicators across chains and time periods.

Range has flagged both the exploit contract addresses and the attacker wallet on our Risk API. Customers using Range's Risk API on any chain can flag the attacker and track subsequent wallet- or chain-hopping as funds move through ecosystems.

Tools available for the Polkadot ecosystem

Bridge security remains one of the most persistent challenges across the blockchain industry. Cross-chain infrastructure creates unique risk surfaces because exploits on one chain can be funded, staged and liquidated across others, often using privacy protocols and multiple bridges to obscure fund flows.

Range's cross-chain Risk API and screening tools are available for teams building in the Polkadot ecosystem. The Risk API covers 300+ chains and can flag addresses, track cross-chain fund movement and provide real-time risk scoring for compliance and security workflows. Range Trail, our cross-chain forensic wallet-monitoring tool, supports incident response and the identification of stolen funds across chains.

For teams operating bridge infrastructure or DeFi protocols that interact with bridged assets, cross-chain risk screening provides a layer of visibility into the behavioral patterns that precede interaction with your contract.

The Polkadot and Hyperbridge teams responded quickly to contain this incident. As bridge infrastructure continues to grow across all ecosystems, the tools to monitor and screen cross-chain activity are an important part of the security stack.

To discuss cross-chain risk screening for bridge infrastructure, get in touch or explore the Risk API documentation.