Hyperbridge has substantially revised the losses from this week’s Polkadot–Ethereum bridge exploit — and the new tally is far worse than first reported.
What happened
- An attacker exploited a flaw in the Merkle Mountain Range (MMR) proof verification logic used by Hyperbridge’s Token Gateway. That vulnerability allowed a forged cross‑chain message to bypass verification, minting 1 billion wrapped DOT on Ethereum and enabling the attacker to drain escrowed assets.
- Hours earlier, the same actor also extracted roughly 245 ETH from a TokenGateway contract — a separate theft that went unnoticed in Hyperbridge’s initial public estimate.
The damage
- Hyperbridge’s first public figure — about $237,000 — was based only on the visible sell‑off of the bridged DOT on Ethereum. After reconciling activity across chains and accounting for the earlier ETH drain and losses from incentive pools, the team now says the realized loss is approximately $2.5 million (valued in ETH and DOT at the time of the exploit).
- The incident affected four blockchains (Ethereum, Base, Arbitrum and BNB Chain), contradicting the earlier claim that only Ethereum was impacted.
- Funds stolen so far have been traced to a deposit address on Binance. Hyperbridge says it has contacted Binance’s compliance team and relevant law enforcement, but warns that meaningful recovery, if possible, could take months or up to a year.
Response and remediation
- Bridging on the four affected chains is paused and will remain so until a patch is deployed and audited.
- Hyperbridge says it aims to make affected users whole. If recovery efforts fall short, the protocol is prepared to allocate BRIDGE tokens to cover any residual loss.
- That plan faces headwinds: BRIDGE has very low trading volume (about $1,800 over 24 hours) and last changed hands around $0.006 on March 29, giving it a market cap near $858,000 — roughly one‑third of the total loss.
Takeaway for cross‑chain security
- The team reiterated that cryptographic proofs are essential for cross‑chain interoperability but warned that verification logic needs more frequent audits and adversarial testing across every layer of the stack. Hyperbridge said the Token Gateway will operate under those heightened standards going forward.
Why it matters
- This incident underscores persistent risks in cross‑chain bridges: a single validation bug can be leveraged in multiple phases and across multiple chains, amplifying losses and complicating recovery. The episode will likely renew scrutiny of MMR implementations, bridge audit practices, and the preparedness of centralized exchanges to freeze stolen on‑ramp funds.
Read more AI-generated news on: undefined/news
