#What happened in the Hyperbridge Token Gateway exploit?
The recent exploit of Hyperbridge’s Token Gateway has been revised dramatically. Initially reported to incur losses of about $237,000, the figures have now escalated to approximately $2.5 million. This significant increase came after a detailed analysis of the attack across four different blockchains. The assessment looked into the two-phase structure of the exploitation and also factored in losses from associated incentive pools.
The revised assessment illustrates how the attack unfolded in two main phases. Initially, the attacker extracted roughly 245 ETH, and in the second phase, they minted nearly 1 billion unauthorized bridged DOT tokens. These tokens were then rapidly sold into the available liquidity on decentralized exchanges.
#What was the cause of this exploit?
The exploit was rooted in a specific vulnerability within the Merkle Mountain Range proof verification logic, which is utilized by Hyperbridge’s HandlerV1 path. Security investigations have indicated that this flaw enabled the attacker to create fraudulent cross-chain messages. By doing so, they gained administrative control over the bridged DOT token contracts and subsequently minted a large volume of counterfeit bridged DOT on Ethereum, capitalizing on limited trading liquidity at the time.
#Which platforms were impacted by the exploit?
The impact of the exploit was confined to the Token Gateway and specifically affected bridged token contracts across Ethereum, Base, BNB Chain, and Arbitrum. However, Hyperbridge confirmed that native DOT on the Polkadot network and its related products, such as Intent Gateway, suffered no damage. Furthermore, Polkadot clarified that this issue was limited to DOT that had been bridged to Ethereum through Hyperbridge and did not affect the native DOT assets within the broader ecosystem.
#What steps is Hyperbridge taking to recover lost funds?
Following the exploit, Hyperbridge has tracked a substantial portion of the exploited funds to Binance. The team is collaborating with Binance’s compliance unit and law enforcement to freeze and recover the funds. Should these efforts fail to fully compensate users, Hyperbridge plans to issue BRIDGE tokens to cover any remaining losses. However, details regarding this mechanism will be withheld until the recovery efforts are further advanced.
#What is the future of Token Gateway?
All bridging activities through Token Gateway have been temporarily halted as the Hyperbridge team works diligently on a patch and audits. They will not resume operations until they have addressed the underlying vulnerabilities and released the audit report to the public. It is crucial for users to stay informed about these developments as they directly impact the functionality and security of the bridging service.