defirisk.co
rubric v1.7.0

Hyperbridge (Polkadot-native interoperability rollup built by Polytope Labs; Token Gateway / HandlerV1): Smart-contract proof-verification bypass — MMR bounds-check failure + missing proof-to-request binding + zero challenge period + single-step admin transfer

An attacker bypassed Hyperbridge's Merkle Mountain Range proof verifier with a single out-of-bounds index value, minted 1 billion fake bridged DOT worth over $1B notional, and extracted $2.5M before thin DEX liquidity capped the haul — all in a single atomic transaction.

Occurred 2026-04-13 Loss $3M Status closed

Summary #

Hyperbridge (Polkadot-native interoperability rollup built by Polytope Labs; Token Gateway / HandlerV1) suffered a Cross-Chain Bridge / Interoperability Protocol on 2026-04-13, resulting in a loss of approximately $3M.

What happened #

An attacker bypassed Hyperbridge's Merkle Mountain Range proof verifier with a single out-of-bounds index value, minted 1 billion fake bridged DOT worth over $1B notional, and extracted $2.5M before thin DEX liquidity capped the haul — all in a single atomic transaction.

Linked factors #

  • RD-F-002 — related : Audit recency (stale signal — text variants only; numeric thresholds need value-parser, deferred) [via dashboard_risk_factors/Time since last audit: ~16–18 months (2024 → April 2026)]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the HandlerV1 design flaws were longstanding, not from a recent upgrade] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the HandlerV1 design flaws were longstanding, not from a recent upgrade]
  • RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited code (SR Labs 2024); the specific MMR off-by-one and missing proof-to-request binding were not caught]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Attacker deployed 15+ test contracts against live protocol state over ~1 month; custom zk-SNARK keys pre-staged 8.5 months earlier; attacker...]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: N — the HandlerV1 design flaws were longstanding, not from a recent upgrade]