Research

Post-mortems and vulnerability analysis for the Polkadot ecosystem.

April 13, 2026critical

Hyperbridge ISMP Gateway Exploit

Post-Mortem Analysis — April 13, 2026

An attacker exploited four compounding vulnerabilities in the Hyperbridge ISMP gateway to mint 1B bridged DOT and extract approximately $250,000-$787,000 across two transactions. Novel MMR proof boundary bypass, missing cryptographic binding, shallow governance auth, and dangerous ERC-6160 privilege model.

PolkadotEthereumBridgeProof ForgeryERC-6160Read analysis