Hyperbridge, which operates in the Polkadot ecosystem, increased its losses from approximately 237 thousand dollars to 2.5 million dollars after the attack related to the Token Gateway vulnerability in April. According to the update from the project team, this new figure also includes losses in incentive pools on Ethereum, Base, BNB Chain and Arbitrum. In the initial evaluations of the attack, it was thought that there was only limited damage caused by the rapid launch of new bridged DOT tokens.
Details of the attack
The Hyperbridge team stated that the attack occurred in two stages. It was stated that first, approximately 245 ETH was removed from the system, and then a fake cross-chain message was sent that bypassed the Merkle Mountain Range proof verification. Thanks to this vulnerability, the attacker generated and sold approximately 1 billion new bridged DOT tokens to existing liquidity. The attack, which targeted Token Gateway and related bridged token contracts, reportedly did not impact assets carried through native DOT and other bridge providers on Polkadot.
Bridging operations on the Token Gateway have been stopped. Hyperbridge has stated that services will only be restored after a fix has been released and independently audited. According to the team, a significant portion of the funds seized in the attack could be tracked on the chain and the traces reached the Binance exchange. Following the incident, the team reported that it was in contact with both the stock exchange and law enforcement.
Asset recovery and compensation of users
It was stated that the timeline for the recovery of funds may be extended, and in similar cases, a meaningful return of assets can sometimes take months or even a year. If the efforts are inconclusive, it was stated that Hyperbridge will distribute its own token, BRIDGE, to the victim users as compensation, and this program will be activated one year after the attack.
In the incident report, it was stated that the loss caused by the vulnerability in the bridge affected multi-chain systems and that the problem was too large to be limited to a single security vulnerability.
Security model review
Following the attack, Hyperbridge launched a comprehensive review of the protocol’s security structure. Engineers are putting the finishing touches on a patch to the verification logic to prevent such vulnerabilities. It was stated that the planned improvement was prepared to eliminate not only the specific problem detected, but also all similar security risks.
However, the Hyperbridge team argued that evidence-based bridging design was still the safest method. It was pointed out that the losses experienced throughout the sector in the last two years, exceeding 2.8 billion dollars in total, were largely due to vulnerabilities in signatories and multi-signature systems.
