Loading Search...
Polkadot exploit impacts Hyperbridge bridge as attacker mints fake DOT on Ethereum, while native Polkadot network remains unaffected.
Author: Akshat Thakur
13th April 2026 – An attacker minted 1 billion bridged DOT tokens on Ethereum on April 13. The attacker then sold them for 108.2 ETH, roughly $237,000. This Hyperbridge exploit targeted the protocol’s Ethereum gateway contract, not Polkadot’s core network.
High Signal Summary For A Quick Glance
Jellybean
@lennydegiorgio
@Polkadot @hyperbridge Surely it affects DOT holders too, if 1B additional tokens were minted?
We’re aware of an issue affecting @hyperbridge's Ethereum gateway contract. The exploit only affects DOT on Ethereum that is bridged through Hyperbridge and does not affect DOT in the Polkadot ecosystem, or DOT bridged through other bridges. Polkadot, its parachains, and
07:58 AM·Apr 13, 2026
Macro Bombastic
@MacroBombastic
@Polkadot @hyperbridge easy money short DOT bro
We’re aware of an issue affecting @hyperbridge's Ethereum gateway contract. The exploit only affects DOT on Ethereum that is bridged through Hyperbridge and does not affect DOT in the Polkadot ecosystem, or DOT bridged through other bridges. Polkadot, its parachains, and
07:46 AM·Apr 13, 2026
Justus
@TheWeb3Patriot
@Polkadot @hyperbridge We don’t need this right now 🥺😩 https://t.co/WLjHsXMb4D
We’re aware of an issue affecting @hyperbridge's Ethereum gateway contract. The exploit only affects DOT on Ethereum that is bridged through Hyperbridge and does not affect DOT in the Polkadot ecosystem, or DOT bridged through other bridges. Polkadot, its parachains, and
07:40 AM·Apr 13, 2026
Steady attention without excessive speculation.
On-chain analytics account LookOnChain flagged the transaction early that morning. Community notes and follow-up posts then clarified that the breach hit Hyperbridge, not Polkadot itself.
CertiK’s alert account also identified the attack vector. According to CertiK, the attacker forged a message to seize admin rights on the bridged DOT token contract.
Hyperbridge operates as a proof-based interoperability layer built on Polkadot’s consensus. It lets users move assets like DOT between parachains and Ethereum without trusted multisigs.
Instead of validators signing off on transfers, Hyperbridge verifies cryptographic proofs. These proofs come from Polkadot’s BEEFY and GRANDPA mechanisms. Smart contracts on Ethereum then check those proofs inside the HandlerV1 and TokenGateway contracts.
The protocol had positioned itself as one of the more secure bridges in crypto. In fact, an April 1 blog post from the team described it as “effectively unhackable” under normal conditions.
The attack centered on two configuration weaknesses inside the Ethereum-side contracts. First, the attacker deployed a contract that submitted a forged consensus proof. An unverified consensus client accepted that proof and stored a malicious state commitment.
The challenge period on those contracts had been set to zero. As a result, the forged commitment became usable immediately. There was no dispute window to catch it.
From there, the attacker crafted an ISMP message. That message changed the admin of the bridged DOT token contract. It then minted 1 billion tokens, approved a router, and swapped everything through Uniswap V4.
The entire sequence executed in a single transaction. It cost fractions of a cent in gas. A separate technical breakdown in the LookOnChain thread detailed the exact contract calls, including the replay of a previously valid proof.
Key milestones in Hyperbridge Exploit on Polkadot
Hyperbridge launches as a proof-based interoperability layer on Polkadot, enabling trustless DOT bridging to Ethereum using BEEFY and GRANDPA consensus proofs verified on-chain.
Team publishes blog asserting strong security guarantees based on Polkadot’s staked consensus, positioning the system as effectively unhackable under normal conditions.
Attacker exploits Ethereum gateway misconfiguration, forges consensus proof, mints 1B bridged DOT, and swaps entire amount for 108.2 ETH in a single Uniswap V4 transaction.
Hyperbridge and Polkadot confirm impact limited to Ethereum-bridged DOT; bridging halted, partners warned, investigation launched, while native DOT sees a 3–7% sentiment-driven dip.
Polkadot’s official account addressed the incident on X later that morning. According to the team, the exploit only affects DOT on Ethereum bridged through Hyperbridge. Native DOT, parachains, and other bridges remain secure.
Hyperbridge confirmed the pause in a separate post. The team said it took “immediate measures to mitigate the attack” and paused all bridging through its frontend. It also advised partners to pause extrinsics and post warnings.
The extracted amount stayed small because bridged DOT liquidity on Ethereum was thin. Polkadot’s recent DeFi push had moved roughly 5 million native DOT across the bridge before the attack.
The billion-token mint overwhelmed available pools. As a consequence, the bridged DOT price crashed from around $1.22 to near zero in minutes.
Native DOT on Polkadot traded down 3% to 7% in the following hours, according to market trackers. Several major exchanges also paused bridged DOT deposits and withdrawals to protect users.
Loading chart...
Bridges remain the most attacked sector in cross-chain DeFi. This incident echoes earlier disasters like the $625 million Ronin hack. It also mirrors the $320 million Wormhole exploit. In each case, one contract flaw unlocked outsized damage.
Hyperbridge had marketed itself on the back of Polkadot’s $1 billion-plus in staked security. Yet the live deployment contained a zero challenge period and an unverified consensus client. Those configuration gaps turned a theoretical strength into a real liability.
The attacker walked away with far less than the minted tokens’ face value. Thin liquidity acted as a natural brake. Still, the episode shows how quickly a prepared actor can exploit proof validation failures.
The attacker’s wallet was only 33 days old. Privacy tools including RAILGUN funded it. Before striking, the wallet had spent weeks testing contracts against live state, according to the LookOnChain thread.
Funds moved through shielded pools and incremental ETH withdrawals. This pattern is typical of operators who launder proceeds over time. So far, no on-chain movement out of Ethereum has appeared beyond the initial swap.
Hyperbridge has frozen the affected contracts. The team is now working with auditors to patch the challenge period and consensus client verification. Polkadot’s core chain and other bridges stay fully operational.
A post-mortem will likely detail which components failed. It should also clarify whether the consensus client had a backdoor, a key leak, or a verification bug. For now, users should avoid any remaining bridged DOT on Ethereum.
This event could accelerate calls for stricter bridge deployment standards. Non-zero challenge periods and verified source code for every consensus client may become baseline requirements. DOT’s price has held so far, but long-term confidence depends on how transparently Hyperbridge communicates the root cause.
This is not financial advice. Always do your own research before making investment decisions.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Arthur Hayes Says $ZEC Is Privacy Complement To Bitcoin
Hyperbridge Exploit Hits Polkadot’s Ethereum Bridge
PreStocks Hits $29M All-Time High in Daily Trading Volume on Solana
Japanese Banks Showcase XRP To Be Faster And 60% Cheaper Than SWIFT
Arthur Hayes Says $ZEC Is Privacy Complement To Bitcoin
Hyperbridge Exploit Hits Polkadot’s Ethereum Bridge
PreStocks Hits $29M All-Time High in Daily Trading Volume on Solana
Japanese Banks Showcase XRP To Be Faster And 60% Cheaper Than SWIFT
