Hyperbridge spent the last three days telling the market that the damage it took from its April 13 loss was manageable. But in its recovery update today, April 16, it revealed that the initial loss estimate, which was calculated at $237,000, was actually around $2.5 million.
That near-10x recalculation has raised the seriousness of the exploit a few levels, compounded by the fact that this is a multi-chain incident with no recovery timeline in sight. It also comes off the back of Hyperbridge’s April Fools’ joke where claimed it was hacked by the Lazarus Group.
How did $237,000 become $2.5 million?
The $237,000 figure circulating on news sources was based only on the observable loss of bridged Polkadot (DOT) tokens on Ethereum. As it turns out, that was just the most visible part of an attack that had already been running for almost an hour before the $237,000 disappeared.
According to Hyperbridge’s full recovery update blog post, the exploit happened in two phases. The first phase was a quiet extraction, moving nearly 245 ETH from a related TokenGateway contract before the second phase began.
An hour later, a fake cross-chain message bypassed Hyperbridge’s Merkle Mountain Range proof verification logic, thus giving the hacker administrative control over the bridged DOT token contract and allowing them to mint approximately 1 billion bridged DOT tokens, which were subsequently dumped into other decentralized exchanges.
The confirmed root cause of the attack, as identified by BlockSec Phalcon was a missing bounds check in the VerifyProof() function of Hyperbridge’s Handler V1 contract, written over two years ago.
The initial $237,000 figure also did not account for losses from the incentive pools running across the four affected EVM chains.
After Hyperbridge recorded all the attacker activity across Ethereum, Base, BNB Chain and Arbitrum, the two-phase structure of the attack as well as the associated pool losses revised the initial total to approximately $2.5 million valued in ETH and DOT at the time of the hack.
An April Fools’ prank that could not look worse in retrospect
The Hyperbridge exploit comes exactly twelve days after Hyperbridge posted an April Fools’ joke claiming the North Korean Lazarus Group had stolen $37 million from the protocol. The announcement was linked to a deleted blog post explaining “Why HyperBridge Can’t Be Hacked.”
Historically, Hyperbridge has positioned itself as a proof-based interoperability layer offering full-node security for cross-chain bridges, which was the exact mechanism the April 13 hack used to break in.
In its update today, the Hyperbridge team addressed that directly, without flinching: “What this exploit has made clear, expensively, is that verification logic needs more frequent audits and adversarial testing at every layer of the stack.”
When can Hyperbridge users expect compensation?
Hyperbridge has now confirmed that a large part of the stolen funds has been traced on-chain to Binance, but it said it will not reveal specific details not to compromise the ongoing investigation.
The protocol has also disclosed what will happen if the recovery fails. If affected users are not made whole through other channels, Hyperbridge is committing to a structured allocation of BRIDGE tokens to cover the residual loss.
The disbursement schedule and valuation details will be disclosed on April 13, 2027, one year after the exploit.
Token Gateway operations will remain paused until three conditions are met: the vulnerability is fully patched, the patch has been independently audited with the report made public, and additional safeguards are operational.
Hyperbridge’s Intent Gateway and the products built on top of it are unaffected by the exploit and continue to operate normally.
