Hyperbridge revises April hack loss to about $2.5M

On April 16, Hyperbridge revised the estimated loss from its April 13 incident to about $2.5 million, up from an initial $237,000 figure. The update described a two-phase attack that allowed the minting of roughly 1 billion bridged DOT and caused losses on four EVM chains: Ethereum, Base, BNB Chain and Arbitrum.

The earlier $237,000 estimate counted only bridged DOT visible on Ethereum. Hyperbridge’s recovery update said the attack began nearly an hour earlier with a separate extraction that the initial figure did not include.

In the first phase the attacker moved about 245 ETH from a related Token Gateway contract. About an hour later a forged cross-chain message bypassed Hyperbridge’s Merkle Mountain Range proof verification and granted administrative control over the bridged DOT token contract.

With that control the attacker minted roughly 1 billion bridged DOT and sold tokens on decentralized exchanges.

Security firm BlockSec Phalcon identified the root cause as a missing bounds check in the VerifyProof() function of Hyperbridge’s Handler V1 contract, code written more than two years ago.

Hyperbridge’s revised total includes the earlier ETH extraction and losses from incentive pools running across the four affected chains. The approximately $2.5 million figure is calculated using ETH and DOT values at the time of the hack.

Twelve days before the incident Hyperbridge posted an April Fools’ message claiming the Lazarus Group had stolen $37 million and linked to a blog that was later deleted. In its recovery update the team wrote, “What this exploit has made clear, expensively, is that verification logic needs more frequent audits and adversarial testing at every layer of the stack.”

Hyperbridge confirmed a large portion of the stolen funds has been traced on-chain to Binance but said it will withhold specific details that could affect the ongoing investigation. The protocol committed to allocate BRIDGE tokens to cover any remaining losses if affected users are not made whole through other channels; the disbursement schedule and valuation will be disclosed on April 13, 2027.

Token Gateway operations will remain paused until the vulnerability is fully patched, the patch passes an independent audit with the report published, and additional safeguards are in place. Hyperbridge added that its Intent Gateway and the products built on top of it were not affected and continue to operate. The protocol has not provided a timeline for recovery or user compensation beyond the 2027 contingency.