The Hyperbridge cross-chain gateway connecting Polkadot to Ethereum was exploited on April 13.

Key Takeaways

• Hyperbridge exploit minted 1 billion DOT on Ethereum.

• Attacker minted tokens worth $1.1B at prior market rates, realized only 108.2 ETH.

• Bridged DOT collapsed from $1.22 to near zero within one hour of the dump.

• Native DOT on Polkadot relay chain unaffected – down ~4% in sympathy.

What Happened

The Hyperbridge cross-chain gateway, a bridge connecting Polkadot to Ethereum, was exploited on April 13, 2026. The attacker identified a vulnerability that allowed them to seize admin privileges over the DOT token contract on Ethereum, transfer control to a malicious address, and forge gateway messages to authorize minting. One billion DOT were created and immediately dumped into available liquidity pools.

The timing is the most damaging contextual detail. In March 2026, six weeks before this exploit, the Polkadot community implemented a hard supply cap of 2.1 billion DOT through governance. The decision was designed to give DOT, which recently got its first spot ETF on Nasdaq, monetary credibility through enforced scarcity.

BRIDGED POLKADOT JUST GOT EXPLOITED

An attacker exploited a third-party bridge to mint 1 Billion DOT tokens on Ethereum. They sold them straight into the liquidity pool, removing over $240K in ETH across multiple transactions.

Track the attacker on Arkham using the link below: pic.twitter.com/2glmVWsDjS

— Arkham (@arkham) April 13, 2026

According to Yahoo Finance, the exploit minted tokens equal to nearly 48% of that entire capped supply in a single transaction. The governance mechanism that was supposed to make DOT scarcer was bypassed entirely through a cross-chain contract that operated on different infrastructure.

The native Polkadot relay chain was not affected. The supply cap on the native chain remains intact. The exploit targeted only the bridged representation of DOT on Ethereum, but for holders of that bridged asset, the distinction is academic.

Current Status

Security firms PeckShield and CertiK have flagged the exploit and are tracking the movement of the 108.2 ETH the attacker realized. Upbit suspended all DOT deposits and withdrawals immediately, the first exchange action, and a signal that the industry is treating the bridged asset as compromised regardless of what the Polkadot team says officially.

Efforts are underway to isolate the compromised Hyperbridge contract to prevent further unauthorized minting. Users are warned not to interact with bridged or wrapped DOT on Ethereum until a new secure contract is deployed. As of reporting, neither the Web3 Foundation nor the Hyperbridge team has issued a formal statement.

The Liquidity Number That Tells the Whole Story

The exploit mechanics explain how it happened. The $237,000 figure explains what it actually meant for the market.

The attacker minted tokens with an apparent market value of $1.1 billion at prior rates and walked away with 108.2 ETH, approximately $237,000. The gap between those two numbers is not a quirk of the execution. It is the precise measure of the actual liquidity depth of the bridged DOT market on Ethereum. Available liquidity in the pools the attacker dumped into was approximately $237,000. The asset that was supposedly worth $1.1 billion could absorb that much selling before the price collapsed to near zero.

The bridged DOT on Ethereum did not have $1.1 billion worth of real market depth. It had $237,000. Everything above that figure was price discovery built on the assumption that the bridged asset was redeemable for native DOT. Once that assumption was broken, the apparent value evaporated instantly.

If the apparent value was never real liquidity, reimbursing holders means replacing something that was never fully backed, and the treasury cannot do it even if the community wanted to.

The Reimbursement Problem

The community that just voted for monetary scarcity is now being asked to consider inflating supply by 48% to fix a bridge it did not build. That tension has no clean resolution, and it is the first thing any reimbursement proposal will have to confront.

The Polkadot Treasury currently holds approximately 44 million DOT. The exploit involved 1 billion DOT, more than 22 times the treasury balance. Full reimbursement through a standard treasury spend is mathematically impossible. Any meaningful compensation would require either minting new tokens, directly undermining the supply cap governance decision made six weeks ago, or some unprecedented protocol-level intervention the community has not previously used.

If a proposal is eventually submitted, it must pass through Polkadot’s on-chain governance system, OpenGov, under the Big Spender or Wish for Change tracks. These require a lead-in period of several days before voting begins, conviction voting where holders lock tokens to increase their influence, and an enactment delay before any funds move. The governance process is designed for deliberation. It is not designed for emergency response at this scale.

The most likely outcome is not full reimbursement. It is partial compensation directed at the most affected liquidity providers, funded through a combination of whatever treasury allocation the community will approve without triggering the inflation question, and a separate accountability process aimed at the Hyperbridge team, which built and maintained the contract that was exploited.

The Polkadot governance system did not create this vulnerability. The bridge did. That distinction will matter in how the community frames any response.

The supply cap survived the exploit. The bridge did not. And the treasury cannot cover the difference.