---

The cross-chain bridge protocol Hyperbridge confirmed on April 16 that losses from a smart contract exploit carried out on April 13 have been revised upward to approximately $2.5 million, according to reporting by The Block. The earlier estimate of roughly $237,000 captured only a fraction of the actual damage. On-chain investigators subsequently identified a second pool of funds, totaling around 245 ETH (more than $500,000), that was drained separately from the TokenGateway contract and routed through Tornado Cash. The revised total also incorporates losses across multiple additional bridged token contracts, including ARGN, MANTA, and CERE, which broader on-chain forensic work identified as separately affected. Some portion of the stolen funds has since been traced to Binance, according to The Block, a dominant crypto exchange platform across sub-Saharan Africa.

The protocol, built on Polkadot and developed by Nigeria-based blockchain firm Polytope Labs, has paused all bridging operations while security patches are applied. Polkadot's native relay chain and its parachains were not affected. The exploit was isolated to Hyperbridge's Ethereum gateway contract.

How the attack worked

The vulnerability traced back to a missing input validation in the VerifyProof() function inside the HandlerV1 smart contract. The function was supposed to confirm that a submitted proof corresponded to a legitimate cross-chain message, but it failed to enforce that a leaf index was within the valid range of the Merkle Mountain Range (MMR) tree structure used to verify state. By submitting a crafted proof with a leaf count of one and a leaf index of one, the attacker caused the root calculation to skip incorporating the actual message content entirely. That meant any forged message could pass as verified.

Security firm BlockSec Phalcon summarized the flaw concisely: the system "checked that a request hash had not been used before, without verifying if the proof actually matched the message." Once past that gate, the attacker forged a governance-style instruction appearing to originate from Hyperbridge's own control address, used it to take admin control of the bridged DOT token contract on Ethereum, and minted one billion tokens in a single transaction. Those tokens carried a nominal market value of between $1.2 billion and $2 billion at the time, but the attacker first routed them through Odos Router V3 before entering the Uniswap V4 DOT/ETH pool, where illiquid conditions meant the attacker could extract only about 108 ETH before the per-token price collapsed. That liquidity constraint is what made the initial loss estimate so low.

Context: A Nigerian-built protocol under scrutiny

Polytope Labs was co-founded by Seun Lanlege and David Salami, two Nigerian engineers who previously worked as core developers at Parity Technologies, the firm behind Polkadot and the Substrate framework. The company raised more than $5.5 million from backers including the Polkadot Ecosystem Fund (a joint venture of the Web3 Foundation and Scytale Digital), and the protocol reached a peak market cap of around $200 million. Regional tech outlets including Techpoint Africa, Businessday NG, and Silicon Africa have described Hyperbridge as one of the few blockchain infrastructure projects built by Africans that operates at a global scale.

That reputation makes this incident consequential beyond its dollar value. Lanlege had argued publicly that the cryptographic proof model underlying Hyperbridge offered stronger security guarantees than older bridge designs that rely on trusted off-chain validators. "Bridges are only as secure as their authentication mechanisms," he said in prior remarks published by TechCabal. "Traditional bridges that rely on trusted offchain parties for authentication have seen over $2B lost to exploits." The irony is that the exploit was not a flaw in Hyperbridge's cryptographic model but in its implementation.

Adding to the reputational sting: on April 1, just twelve days before the attack, Hyperbridge published a blog post titled "Why Hyperbridge Can't Be Hacked," framed as an April Fools' joke complete with a Rickroll gif and a fictional incident report. The post was later deleted. In February, an account loosely associated with the team and operating under the name "Web3 Philosopher" responded to a bug bounty inquiry with the remark "exploit them if you found them," a comment that, in retrospect, reflects a pattern of cavalier posture toward security disclosures in the months leading up to the incident.

Regional implications

The tracing of funds to Binance carries particular weight in Africa, where Binance is the dominant exchange platform across Nigeria, Kenya, Ghana, and South Africa. Because Binance holds that position across sub-Saharan Africa, there is a non-trivial chance the destination accounts belong to African users subject to know-your-customer verification, which would make freezing those assets feasible through regulatory cooperation. DOT's price fell roughly 5% in the 24 hours following public disclosure of the exploit.

For users in Sub-Saharan Africa and South Asia who rely on cross-chain bridges to move between Ethereum, BNB Chain, and Polkadot ecosystems (often because local banking infrastructure limits access to dollar-denominated yield), the suspension of Hyperbridge's bridging functions is a direct operational disruption, not just a headline.

What comes next

Hyperbridge said bridging would resume "once we have integrated additional security measures," though no specific timeline has been provided. A full post-mortem from Polytope Labs had not been published as of this writing. The incident lands in a Q1 2026 that has seen roughly $168 million stolen across 34 DeFi protocols, a sharp decline from $1.58 billion in the same period last year. Even in a quieter environment, bridge exploits continue to account for a disproportionate share of DeFi losses: cross-chain bridges accounted for approximately 50% of laundered hack value in 2025, according to researchers tracking the sector. Cross-chain bridges have shed more than $3 billion to attackers since 2021, and this case reinforces that sophisticated cryptographic architecture does not protect against bugs in the code that implements it.