The attack centered on Hyperbridge's ISMP gateway contract (ISMP, or Interoperable State Machine Protocol, is a system designed to verify cross-chain messages using cryptographic state proofs rather than trusted intermediaries). According to on-chain analysis from security firm CertiK, the attacker submitted forged state proofs to the HandlerV1 contract in a multi-stage operation. In a single Ethereum transaction, the attacker deployed both a master contract and a helper contract, then triggered a malicious ChangeAssetAdmin action through the TokenGateway.onAccept() execution path. This sequence tricked the system into executing an unauthorized admin transfer, handing the attacker full control over the bridged DOT ERC-20 token contract on Ethereum, including the ability to mint unlimited tokens.

Once in control, the attacker minted roughly one billion bridged DOT. Before the exploit, the token's entire circulating supply on Ethereum was approximately 356,000 units, meaning the attacker inflated supply by a factor of about 2,805. The newly minted tokens were then sold through OdosRouter and Uniswap V4, two decentralized trading venues. Losses were capped by the shallow liquidity in Hyperbridge's bridged DOT pools: the available depth simply could not absorb more than $237,000 worth of sell pressure. A deeper pool would have enabled significantly larger losses.

According to CertiK's analysis, as reported by BeInCrypto via Yahoo Finance, the attacker used a forged message to gain unauthorized control and manipulated the admin role of a Polkadot token contract on Ethereum, enabling the minting of 1 billion tokens.

This was not the first warning the protocol received that day. An identical proof-forgery attack had already been executed earlier on April 13, draining approximately $12,000 in MANTA and CERE tokens from the same system. The earlier breach did not trigger a halt in time to prevent the larger DOT exploit, raising questions about how quickly the team monitored for and responded to active security incidents. The timing compounds those concerns: Hyperbridge had paused bridging operations in February 2026 due to a Polkadot runtime limitation and had only recently restored service before the April 13 attacks. The attacker wallet, identified as 0xc513...f1f8e7, was still holding proceeds at the time initial reports were published. Hyperbridge has since paused operations.

Polkadot moved quickly to clarify the scope of the damage. "Polkadot, its parachains, and native DOT remain secure and unaffected. Hyperbridge has been paused while the issue is investigated," the project stated on April 13. Native DOT on the relay chain fell as much as 4.8% on the day, with figures varying by source and timestamp in a range from approximately 2.83% to 4.8% during a volatile post-exploit window. The bridged version of DOT on Ethereum, by contrast, lost nearly all of its value as the attacker's selling wiped out available liquidity.

South Korean exchanges bore the most immediate regional impact. Upbit and Bithumb, the two largest crypto platforms in South Korea and among the most active globally for DOT trading, both suspended DOT deposits and withdrawals following reports of the incident. South Korean retail investors were effectively locked out of DOT liquidity during the sharpest post-exploit window. The Bithumb suspension is particularly notable given the exchange was fined $24 million by South Korean financial regulators in March 2026 and placed under a six-month partial suspension for anti-money laundering violations. Any further association with a security incident adds to the pressure the exchange is already managing with regulators.

For developers and users in South Asia, the exploit has practical consequences even without a direct exchange disruption. Polkadot parachain projects in India and Pakistan have been building substrate-based application chains, NFT platforms, and DeFi protocols that depend on Hyperbridge as an interoperability layer between Polkadot and Ethereum-based DeFi. With the bridge paused and its security model now under scrutiny, those projects face uncertainty over when and whether the infrastructure they relied on will return in a trustworthy form. No confirmed disruptions were reported on South Asian exchanges at the time of publication. In Africa, where Polkadot has had smaller but growing adoption through developer grant programs and DeFi experiments in Nigeria, Kenya, and South Africa, the direct impact appears limited due to minimal bridged DOT liquidity in those markets.

Polytope Labs had not issued a widely circulated public statement as of initial reporting, and a Hyperbridge blog post linked in search results returned a 404 error. All technical analysis in circulation comes from third-party security firms including CertiK and PeckShield, as well as on-chain trackers Lookonchain and OnchainLens, which were first to document the billion-token mint in real time. The broader context is stark: bridge exploits account for more than 60% of all crypto hack losses by value, with cumulative losses exceeding $2 billion according to Chainalysis data. March 2026 alone saw roughly $52 million stolen across approximately 20 incidents. The attack also echoes a precedent from within the Polkadot ecosystem: in August 2022, a liquidity pool misconfiguration on Acala led to the unauthorized minting of 1.2 billion aUSD tokens, illustrating that unbounded minting attacks are not without ecosystem history. A full post-mortem from Polytope Labs is still pending.