Key Highlights
- Hyperbridge’s April 13 exploit stemmed from a vulnerability in its MMR verifier logic.
- Attackers used forged proofs with out-of-bounds leaf indexes to drain token gateway funds.
- Hyperbridge launched a public bug bounty program with rewards up to $50,000 following the incident.
Hyperbridge, an open and accessible system, has released a thorough report detailing the security issue that happened on April 13, 2026. A hacker took advantage of a weakness in how the system checked data—specifically within the Merkle Mountain Range (MMR) verifier—to steal funds from the Token Gateway contract.
The report indicates that a malicious actor provided a fake verification piece of data containing an error. The system that checks this data, called the MMR verifier, didn’t properly confirm that all data was accounted for after processing, and mistakenly accepted the fake data. This caused other parts of the system to believe the fake data was real, ultimately allowing the attacker to steal funds from the Token Gateway.
Hyperbridge has enhanced its security and reliability by: reducing potential vulnerabilities, improving how transactions are confirmed, refining how funds are held in escrow, making the system for verifying information more robust, and initiating a bug bounty program with rewards ranging from $200 to $50,000 through HackenProof.
— Hyperbridge (@hyperbridge) May 14, 2026
Internal review and security audits
After the incident, my team at Polytope Labs conducted a thorough internal review, and we also brought in Security Research Labs (SR Labs) for an independent audit. Together, these assessments identified a total of 14 vulnerabilities within our verification and settlement systems. We categorized them as follows: 1 critical, 3 high severity, 5 medium, 4 low, and 1 informational.
At the same time, Polytope Labs reviewed the Hyperbridge protocol and discovered a similar security issue in two popular open-source libraries used within the Polkadot network. These vulnerabilities were reported confidentially to the library developers and have now been fixed.
- paritytech/merkle-mountain-range (used in Polkadot’s pallet-beefy-mmr): Fixed by Parity.
- antouhou/rs-merkle: Hyperbridge is currently running on a patched fork while upstream review continues.
We also discovered several problems, including vulnerabilities related to how leaf indexes were handled, instances where incomplete proofs were incorrectly reported as successful, and issues with how fees were managed for tokens transferred through the IntentGatewayV2 and its escrow system.
Response and bug bounty program
After the incident, Hyperbridge strengthened its security checks, simplified its code to reduce potential vulnerabilities, and refined how transactions are processed. They also created a bug bounty program with Hacken Proof, offering rewards between $200 and $50,000 to anyone who reported security flaws.
Researchers who find and report security flaws in the Hyperbridge system can earn rewards. This includes sharing the entire Hyperbridge code base. We’re interested in any vulnerabilities that could affect the security of messages or funds transferred through Hyperbridge. Once a report is approved, we’ll respond within three days with a classification and reward amount.
During the recent X thread discussion, Hyperbridge emphasized their commitment to openness and taking responsibility for the health of their network. The security issue was limited to the Token Gateway and didn’t affect the overall system for sending messages between different blockchains. Since the system was temporarily paused, no additional funds have been lost.
Difficulties in cross-chain solution
On April 13th, a security flaw in Hyperbridge’s MMR Verifier system allowed someone to steal funds from the Token Gateway. This happened because of a problem with how Merkle proofs were checked.
Despite some financial losses from the recent hack, our team quickly shut down the affected systems, resolved the immediate problems, and thoroughly reviewed our security measures. This review uncovered and fixed several other potential vulnerabilities. We also believe in transparency and responsible security practices, so we publicly shared details of the incident with the broader Polkadot community.
This event shows how challenging it is to create secure systems that work across different blockchains. The protocol is now restarting with code that has been carefully checked, more thorough testing, and rewards offered for finding bugs. It remains to be seen how well these improvements will work.
Read More
- Re:Zero Season 4, Episode 6 Release Date & Time
- NTE Drift Guide (& Best Car Mods for Drifting)
- How to Get the Wunderbarrage in Totenreich (BO7 Zombies)
- How to Beat Turbines in ARC Raiders
- Diablo 4 Best Loot Filter Codes
- Change Your Perspective Anomaly Commission Guide In NTE (Neverness to Everness)
- Top 8 UFC 5 Perks Every Fighter Should Use
- Brent Oil Forecast
- EUR CNY PREDICTION
- Danganronpa 2: A Complete Guide To Gifts
2026-05-14 20:30