TLDR
- Hyperbridge raised realized exploit losses to about $2.5 million after a fuller forensic review.
- The April 13 Token Gateway attack affected Ethereum, Base, BNB Chain, and Arbitrum.
- The attacker first took about 245 ETH before minting about 1 billion bridged DOT.
- Token Gateway bridging remains paused until a patch, audit, and public release are complete.
- Hyperbridge traced a large share of the funds to Binance and is working with law enforcement.
Polkadot linked Hyperbridge exploit losses jumped to about $2.5 million after a fuller forensic review. The team had first estimated realized losses near $237,000 after the April 13 Token Gateway breach. That revision came after a broader review of onchain activity.
The updated figure covers activity on Ethereum, Base, BNB Chain, and Arbitrum. It also includes losses tied to related incentive pools. The new count reflects realized losses, not only the first visible token sales.
Revised loss count shows wider damage
Early reports focused on bridged DOT sold on Ethereum after the breach. Later checks showed a larger trail across four chains and two attack stages. The first estimate missed damage outside Ethereum and outside immediate DOT dumping.
Hyperbridge said the attacker first extracted about 245 ETH from Token Gateway. About an hour later, a forged cross-chain message opened a route to mint false tokens. The later phase drove most of the financial damage.
The attacker then created about 1 billion bridged DOT and sold it into available liquidity. That sale pushed the loss estimate close to ten times the first public number. Hyperbridge said the attack had a two-phase structure.
Forged message opened the minting route
The team linked the breach to proof checks in its HandlerV1 route. Those checks use a Merkle Mountain Range system to verify cross-chain messages. That route helps move messages between chains.
Hyperbridge said the forged message bypassed that verification logic. Researchers said the flaw gave the attacker admin control over the bridged DOT token contract. That control let the attacker mint and move fake bridged DOT.
The protocol said the damage stayed within Token Gateway and related bridged token contracts. Native DOT on Polkadot and assets bridged through other providers were not affected. Polkadot also said the wider network stayed safe.
Recovery work continues while bridge stays paused
Bridging through Token Gateway remains paused while engineers finish a patch and an outside audit. Hyperbridge said service will return only after the fix is public. The team said it will publish the audit before reopening the route.
The team said it traced a large share of the funds to Binance. It is working with the exchange and law enforcement, but recovery could take “months” or “up to a year”. For now, it is withholding some details during the investigation.
If recovery falls short, Hyperbridge said it will use BRIDGE tokens to cover remaining user losses. The project plans that distribution one year after the exploit date. It said proof-based bridge design remains “the most secure approach” despite the breach.
