Overview of the Breach
The recent breach of the Polkadot-Ethereum bridge has been revealed to be far more damaging than initially assessed, according to the developers at Hyperbridge. Early estimates suggested losses of approximately $237,000; however, a detailed review has shown that the actual losses are closer to $2.5 million, signifying a staggering tenfold increase.
Details of the Incident
In a Thursday analysis, the Hyperbridge team explained that the incident stemmed from a flaw in the Merkle Mountain Range (MMR) proof verification system, which allowed the perpetrator to mint a significant number of wrapped Polkadot (DOT) tokens and siphon off funds from escrow accounts on their Token Gateway platform.
Initially, the team based their loss estimates on the immediate observable decline in the value of DOT tokens traded on Ethereum, which did not accurately reflect the full extent of the damages. In addition to the purported $237,000 loss, an earlier incident involving the exploitation of a smart contract led to the theft of 245 ETH, roughly equating to $561,000, just hours before the mass minting of counterfeit DOT tokens occurred.
Ripple Effects and Investigation
Moreover, the breach had ripple effects across three additional blockchains: Base, Arbitrum, and BNB Chain, contradicting the earlier assertion that only the Ethereum-based DOT was compromised. Following a thorough investigation into the activities of the attacker across these four blockchain environments, the Hyperbridge team confirmed that the attack was structured in two phases and resulted in substantial losses from associated incentive pools.
Current Status and Future Actions
The total damage now sits at an estimated $2.5 million, calculated in both ETH and DOT at the time of the exploit. In an effort to address the situation, the stolen amounts have been traced to a Binance deposit address. Hyperbridge has since coordinated with Binance’s compliance team and relevant law enforcement to freeze the stolen assets, although they have indicated that a resolution will take considerable time, potentially spanning several months to a year.
The developers aim to compensate affected users for their losses, but have acknowledged that if this is not feasible, they will resort to a pre-planned distribution of BRIDGE tokens, which represent the firm’s native protocol currency, to mitigate residual losses. However, current trading volumes for BRIDGE remain low; it traded for approximately $0.006 recently, equating to a market cap of around $858,000—less than one-third of the total losses incurred during the exploit.
Precautionary Measures
As a precaution, all bridging functionalities on the impacted blockchains have been temporarily suspended and will remain inactive until thorough patching and auditing processes have been completed. The Hyperbridge team underscored that this incident reaffirms their belief in the necessity of robust cryptographic proofs to ensure cross-chain interoperability. They stressed the importance of regular audits and adversarial testing of verification logic at every level, stating that going forward, such measures will be integrated into the operation standards of Token Gateway.
