Hyperbridge releases update on attack incident, vulnerability caused by flaw in Merkle proof verification logic

Foresight News reported that the blockchain interoperability protocol Hyperbridge has disclosed details of the previous DOT attack incident, resulting in a loss of approximately $237,000. The root cause of the vulnerability was the lack of input validation in the HandlerV1 contract's VerifyProof() function, which did not check whether leaf_index < leafCount, allowing attackers to forge Merkle proofs. Through this, the attacker obtained administrator rights for the bridged DOT token contract on Ethereum, subsequently minting 1 billion bridged DOT (about 2,800 times the legitimate circulating supply of approximately 356,000 tokens), and cashed out on decentralized exchanges. Hyperbridge stated that, at present, they are tracking the funds with security partners, and cross-chain functionality will remain suspended until the investigation is complete.