On April 13, 2026, an attacker minted 1 billion bridged DOT tokens out of thin air on Ethereum - and dumped them for roughly $237,000 in ETH. The target was Hyperbridge, Polytope Labs’ trust-minimized interoperability protocol connecting Polkadot to EVM chains. The culprit wasn’t a complex cryptographic attack or a sophisticated flash loan scheme, but a single missing bounds check in a Merkle Mountain Range (MMR) verification library that allowed completely forged cross-chain messages to pass as legitimate.

What makes this incident particularly ironic? Just twelve days earlier, on April 1, Hyperbridge had published a satirical post joking about suffering a catastrophic exploit - boasting their protocol was “un-hackable.” Reality had other plans.

• Date: April 13, 2026, 03:39 – 05:08 UTC

• Protocol: Hyperbridge / ISMP Token Gateway (Ethereum)

• Loss: ~$237,000 (108.2 ETH)

• Root Cause: Missing leaf_index < leafCount bounds check in MMR proof verification

• Attacker: 0xC513E4f5D7a93A1Dd5B7C4D9f6cC2F52d2F1F8E7

• Tokens Affected: DOT (1B), ARGN (999B), MANTA (211K), CERE (23B)

Background

Hyperbridge is a cross-chain interoperability layer built by Polytope Labs that connects Polkadot to EVM-compatible chains like Ethereum. It uses the Interoperable State Machine Protocol (ISMP) to relay messages between chains, with smart contracts on Ethereum responsible for verifying cross-chain state proofs and dispatching actions like token minting and transfers.

The bridge’s security model relies on Merkle Mountain Range (MMR) proofs - a data structure used in Polkadot’s consensus - to verify that incoming cross-chain messages are legitimate. The HandlerV1 contract processes these messages: it fetches a committed Merkle root, validates message inclusion against that root, and if verification passes, dispatches the requested action.

The critical assumption? That the MMR verification library would reject any message not genuinely included in the Merkle tree. That assumption was wrong.

Root Cause

The vulnerability lies in the CalculateRoot function of the MerkleMountainRange library - a shared Solidity dependency maintained by Polytope Labs for verifying MMR proofs.

The function has a special early-exit path for single-leaf trees:

// MerkleMountainRange.sol - CalculateRoot function
// https://github.com/polytope-labs/solidity-merkle-trees

function CalculateRoot(
    bytes32[] memory proof,
    MmrLeaf[] memory leaves,
    uint256 leafCount
) internal pure returns (bytes32) {
    // special handle the only 1 leaf MMR
    if (leafCount == 1 && leaves.length == 1 && leaves[0].leaf_index == 0) {
        return leaves[0].hash;  // <-- Returns the actual leaf hash
    }
    // ... general computation path follows ...
}

When leafCount = 1 and leaf_index = 0, the function returns leaves[0].hash - the actual commitment from the cross-chain message. This is the correct behavior.

Here’s where it gets interesting. When the attacker set leaf_index = 1 - an out-of-bounds index for a tree with only one leaf (leafCount = 1) - the early-exit condition fails because leaves[0].leaf_index == 0 is no longer true. The function falls through to the general computation path:

for (uint256 p; p < length; ) {
    uint256 height = subtrees[p];
    current_subtree += 2 ** height;

    LeafIterator memory subtreeLeaves = getSubtreeLeaves(
        leaves, leafIter, current_subtree
    );

    if (subtreeLeaves.length == 0) {
        // No leaves in this subtree - take next proof element
        if (proofIter.data.length == proofIter.offset) {
            break;
        } else {
            push(peakRoots, next(proofIter));  // <-- proof[0] goes directly into peakRoots!
        }
    } else if (subtreeLeaves.length == 1 && height == 0) {
        push(peakRoots, leaves[subtreeLeaves.offset].hash);
    } else {
        push(peakRoots, CalculateSubtreeRoot(leaves, subtreeLeaves, proofIter, height));
    }
    unchecked { ++p; }
}

Since leaf_index = 1 is out of range, getSubtreeLeaves finds zero leaves matching the subtree. The code enters the subtreeLeaves.length == 0 branch and pushes proof[0] directly into peakRoots. After the peak-bagging loop, peakRoots.data[0] is returned as the computed root.

The result: CalculateRoot returns proof[0]. The attacker simply sets proof[0] equal to the expected overlay root. The “computed root” matches the “expected root” - verification passes. The actual leaf hash - the attacker’s forged message commitment - is never used in the calculation at all.

Step-by-Step: The Attack

The attacker executed a series of transactions between 03:39 and 05:08 UTC, systematically exploiting the vulnerability across multiple bridged tokens:

1. Test Run - At 03:39 UTC, the attacker deployed a contract and executed a small test transaction involving DAI (~$423), probing the exploit path (tx 0xfa23fb22...)

2. ARGN Token Mint - At 04:20 UTC, the attacker minted ~1 billion ARGN tokens, routing them through Uniswap V3 and Odos Router V3, netting approximately 1.75 ETH (tx 0xb28ab952...)

3. DOT Probe - At 04:26 UTC, the attacker minted 10,000 DOT in a smaller test, extracting ~0.02 ETH. This transaction had partial execution revert issues, suggesting the attacker was calibrating parameters (tx 0xb80c7d4c...)

4. Main DOT Dump - At 04:33 UTC, the attacker minted 1,000,000 DOT (~$1,260,000 in nominal value) and swapped them through Uniswap V4 and Odos Router, extracting approximately 0.387 ETH (tx 0x743f4bdb...)

5. Continued Extraction - At 04:51 UTC, another 712,403 DOT were minted and dumped through Uniswap V4, with diminishing returns as liquidity pools dried up (tx 0x6f1efcde...)

6. Final Sweep - At 05:07 UTC, the attacker minted a final 1,000 DOT, squeezing the last drops of liquidity from the pool (tx 0xb93aab83...)

Each exploit transaction followed the same pattern: deploy a new contract, call HandlerV1.handlePostRequests with a forged ChangeAssetAdmin message using the MMR bypass (setting leaf_index = 1, leafCount = 1, and proof[0] = overlay_root), gain admin/minter privileges on the target bridged token contract, mint tokens, and dump them through DEX aggregators.

Code Analysis

The vulnerability is a textbook case of inconsistent library behavior at edge cases. Here’s the core of the issue in the HandlerV1.handlePostRequests function:

// HandlerV1.sol - handlePostRequests
// https://github.com/polytope-labs/hyperbridge/blob/05031ae/evm/src/core/HandlerV1.sol

function handlePostRequests(IHost host, PostRequestMessage calldata request) 
    external notFrozen(host) 
{
    uint256 requestsLen = request.requests.length;
    MmrLeaf[] memory leaves = new MmrLeaf[](requestsLen);

    for (uint256 i = 0; i < requestsLen; ++i) {
        PostRequestLeaf memory leaf = request.requests[i];
        bytes32 commitment = leaf.request.hash();
        // leaf.kIndex and leaf.index come directly from untrusted input
        // No validation that leaf.index < leafCount!
        leaves[i] = MmrLeaf(leaf.kIndex, leaf.index, commitment);
    }

    bytes32 root = host.stateMachineCommitment(request.proof.height).overlayRoot;
    if (root == bytes32(0)) revert StateCommitmentNotFound();

    // Passes attacker-controlled leaf_index to the MMR verifier
    bool valid = MerkleMountainRange.VerifyProof(
        root, request.proof.multiproof, leaves, request.proof.leafCount
    );
    if (!valid) revert InvalidProof();

    // If verification "passes", forged messages get dispatched
    for (uint256 i = 0; i < requestsLen; ++i) {
        PostRequestLeaf memory leaf = request.requests[i];
        host.dispatchIncoming(leaf.request, _msgSender());
    }
}

The handler accepts leaf.index and leafCount directly from the calldata - completely attacker-controlled. No sanity check verifies that leaf.index < leafCount. This untrusted input flows directly into the MMR library’s CalculateRoot, triggering the bypass.

The following proof-of-concept demonstrates the inconsistency:

function test_MerkleMountainRange_InconsistentBehavior() public {
    bytes32[] memory proof = new bytes32[](1);
    proof[0] = 0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;

    MmrLeaf[] memory leaves = new MmrLeaf[](1);

    // Case A: leaf_index = 0 → early exit, returns leaf hash (correct)
    leaves[0] = MmrLeaf(0, 0, 0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb);
    bytes32 rootA = MerkleMountainRange.CalculateRoot(proof, leaves, 1);
    // rootA = 0xbbbb...  ← leaf hash, proof is ignored

    // Case B: leaf_index = 1 → bypasses early exit, returns proof[0] (VULNERABLE)
    leaves[0] = MmrLeaf(0, 1, 0xbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb);
    bytes32 rootB = MerkleMountainRange.CalculateRoot(proof, leaves, 1);
    // rootB = 0xaaaa...  ← attacker controls this! leaf hash completely ignored
}

The fix is remarkably simple - a single bounds check:

// Add this before the CalculateRoot computation:
require(leaf.index < leafCount, "leaf index out of bounds");

One line of validation. That’s the difference between a secure bridge and a $237K exploit with billions in unbacked tokens minted.

Lessons Learned

• Validate all inputs at system boundaries. The handler accepted leaf_index and leafCount from untrusted calldata and passed them directly to a security-critical library. Every parameter that feeds into proof verification must be bounds-checked before use - trusting that a library will handle edge cases correctly is a dangerous assumption.

• Fuzz test cryptographic libraries exhaustively. The MMR library’s behavior diverged at a single edge case (leaf_index >= leafCount). Random fuzzing with arbitrary leaf_index values would have caught this inconsistency immediately. Cryptographic verification code demands the highest testing standards - property-based and fuzz testing are non-negotiable.

• Library security is protocol security. The vulnerable code lived in solidity-merkle-trees, a shared dependency. Bridge protocols that delegate proof verification to external libraries must audit those libraries as rigorously as their own code. A bug in a dependency is a bug in your protocol.

• Inconsistent edge-case behavior is a vulnerability class. The CalculateRoot function had two code paths that behaved fundamentally differently based on leaf_index. Path A (index 0) used the leaf hash; Path B (index 1) used the proof element. This kind of bifurcated logic in security-critical code is a red flag that demands explicit documentation and testing.

• Defense-in-depth for cross-chain bridges. Beyond proof verification, secondary safeguards - rate limiting on minting, admin-change timelocks, anomaly detection - could have limited the blast radius even after verification was bypassed.

Conclusion

The Hyperbridge exploit is a stark reminder that in cross-chain security, the most devastating vulnerabilities often hide in the most fundamental building blocks. A single missing bounds check - leaf_index < leafCount - turned a Merkle Mountain Range verifier into an open door, allowing an attacker to forge cross-chain messages, seize admin privileges, and mint billions in unbacked tokens across DOT, ARGN, MANTA, and CERE.

Despite minting over $2 billion in nominal token value, the attacker walked away with roughly $237K - a testament to the thin liquidity of bridged assets, but cold comfort for a protocol that staked its reputation on being “trust-minimized.” The ironic timing - just twelve days after an April Fools’ post joking about being hacked - underscores that security claims must be backed by rigorous engineering, not confidence.

This incident reinforces that oracle and proof verification code is the bedrock of cross-chain security. When the verification layer fails, everything built on top of it fails. In DeFi, a missing bounds check isn’t a minor oversight - it’s an existential risk.