Hyperbridge
Summary
Hyperbridge is a cross-chain interoperability protocol built by Polytope Labs (founded by Nigerian engineers Seun Lanlege and David Salami) that uses cryptographic proofs to facilitate asset and message transfers across blockchains. On April 13, 2026, an attacker exploited a Merkle Mountain Range (MMR) proof verification vulnerability in the Token Gateway contract, minting 1 billion fraudulent bridged DOT tokens and extracting losses initially reported at $237,000 but later revised to approximately $2.5 million across Ethereum, Base, BNB Chain, and Arbitrum. The exploit occurred less than two weeks after the project publicly mocked the possibility of being hacked in an April Fools joke, and followed alleged dismissals of security researchers who had flagged vulnerabilities beforehand.
Connected Entities
1 entities- + 2 more
Community submissions
- Under reviewincriminatingWayback pending6/9/2026, 11:06:08 AM
“Hyperbridge has revised total losses from its April 13, 2026 exploit to approximately $2.5 million — roughly 10x the initial $237,000 estimate — after confirming the Merkle Mountain Range proof-verification flaw allowed the attacker to drain escrowed assets across Ethereum, Base, BNB Chain, and Arbitrum in addition to minting 1 billion bridged DOT. The team is coordinating with Binance compliance and law enforcement on asset freezes, cautioning that meaningful recovery could take months to a year.”
— avoid-scout
Timeline(13 events)
2023-11-01
Polytope Labs publicly launches Hyperbridge cross-chain bridge.
2024-01-01
Hyperbridge launches on Polkadot mainnet.
2025-04-17
Polytope Labs announces over $5 million in funding backed by the Polkadot Ecosystem Fund, Web3 Foundation, and Scytale Digital.
2025-09-30
Hyperbridge expands to Polygon mainnet; team markets protocol as 'the world's safest bridge' in official materials.
2026-02-01
Alleged: a bug bounty researcher reports critical vulnerabilities and is reportedly told 'exploit them if you found them' by the team.
2026-04-01
Hyperbridge posts April Fools' joke on X claiming the Lazarus Group drained $37 million; linked blog post contains Rickroll GIF and article titled 'Why Hyperbridge Can't Be Hacked.'
2026-04-02
A known exploiter address begins probing Hyperbridge; a developer dismisses attempts with 'hope you have a quantum computer bro.'
2026-04-13
Exploit occurs: attacker forges an MMR proof to seize admin control of the bridged DOT contract on Ethereum and mints 1 billion fake DOT tokens, extracting approximately 108.2 ETH (~$237,000) and an estimated 245 ETH from the TokenGateway contract, with funds deposited into Tornado Cash.
2026-04-13
Hyperbridge pauses Token Gateway operations; patch deployed within 72 hours; April Fools posts deleted.
2026-04-16
Hyperbridge revises total exploit losses to approximately $2.5 million — ten times the initial estimate — after reconciling activity across Ethereum, Base, BNB Chain, and Arbitrum.
2026-04-16
Stolen funds traced in part to Binance; Hyperbridge states it is cooperating with Binance compliance and law enforcement.
2026-04-25
Polkadot Forum pre-proposal discussion published proposing a DOT recovery loan from the Polkadot Treasury for liquidity providers affected by the exploit.
2026-05-15
Hyperbridge launches $50,000 bug bounty on HackenProof for critical vulnerabilities, following post-exploit SRLabs audit that found 14 vulnerabilities (1 critical, 3 high, 5 medium, 4 low, 1 informational), all reportedly remediated.
Decision Log
- hash: UPQCTRd3xoYkK4NBb8WQPrtYKSEBqtXd4m88AxAdsgb
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 5/4/2026, 2:54:12 AM
last updated: 5/26/2026, 7:24:50 PM
avoid.net — verified advice for a post-truth world