Hyperbridge MMR bug led to $2.5M Polkadot bridge loss

Hyperbridge reported a bug in its Merkle Mountain Range (MMR) proof verification that allowed an attacker to mint 1 billion wrapped Polkadot (DOT) tokens and drain roughly $2.5 million in value. The protocol traced part of the stolen funds to a Binance deposit address and has engaged the exchange’s compliance team and law enforcement.

In an initial public estimate, the protocol observed about $237,000 in losses after a large sell-off of the forged bridged DOT on Ethereum. After reconciling activity across four affected chains-Ethereum, Base, Arbitrum and BNB Chain-and accounting for losses from incentive pools, Hyperbridge revised the realized loss to approximately $2.5 million, measured in ETH and DOT at the time of the exploit.

Hyperbridge described the attack as two phases. Hours before the forged bridge message, the attacker extracted about 245 ETH from a TokenGateway contract. Around an hour later a forged cross-chain message bypassed MMR proof verification and enabled the minting of 1 billion bridged DOT, which the attacker dumped into thin liquidity. The artificial supply produced a paper value above $1.1 billion, but limited market liquidity constrained immediate cash-out to roughly $237,000 from DOT sales; the earlier 245 ETH loss added about $561,000 to the realized total.

The protocol posted a technical summary that read in part: “An attacker exploited a vulnerability in the Merkle Mountain Range (MMR) proof verification logic, allowing the culprit to mint assets and drain escrowed assets on Token Gateway.” Bridging operations on the four affected chains remain paused and will only resume after Hyperbridge deploys a patch and completes an audit.

Hyperbridge said the stolen funds were traced to a Binance deposit address and that it is working with the exchange and law enforcement to seek freezing and recovery. The team warned that recovery timelines of this type are typically measured in months and can extend up to a year.

The protocol committed to repaying affected users and prepared a structured allocation of its native BRIDGE token to cover any residual loss it cannot recover. BRIDGE has low trading volume and market capitalization: on March 29 it last traded near $0.006 with 24-hour volume around $1,800 and a market cap of about $858,000, roughly one-third of the revised loss amount.

Investigations and on-chain tracing are ongoing as Hyperbridge works with third parties and authorities to recover assets and complete security fixes needed to restore cross-chain services.