Hyperbridge has launched a public bug bounty program on HackenProof, offering rewards of up to $50,000 for critical vulnerabilities.
Summary
- Hyperbridge offers $50,000 rewards for critical bugs as researchers review cross-chain messaging and fund safety.
- The program follows April’s fake DOT exploit that exposed proof verification risks across Hyperbridge systems.
- HackenProof rules require proof-of-concept reports while banning live attacks and third-party exploit testing by researchers.
The program invites independent security researchers to review the protocol codebase and submit reports through the security platform.
The HackenProof page lists the Hyperbridge Protocol program as live and active. It describes Hyperbridge as a system that lets blockchains communicate and transfer assets through consensus and state proofs, rather than older bridge models that rely on multisig committees.
Rewards cover key bridge risks
Hyperbridge said rewards start at $200 for low-severity reports and rise to $2,000–$5,000 for medium findings. High-severity bugs can earn $5,000–$15,000, while critical vulnerabilities can receive up to $50,000.
The scope covers the full Hyperbridge protocol repository. The team said researchers can report logic flaws, access-control issues, reentrancy, cross-chain message spoofing, state manipulation and any flaw that could affect message or fund integrity.
April exploit pushed security review
The program follows an April exploit in which an attacker minted roughly 1 billion fake DOT-equivalent tokens on Ethereum through Hyperbridge’s cross-chain gateway. Crypto.news reported that the attacker gained admin control through a forged cross-chain message and extracted about $237,000 in ether.
The same report said the fake supply affected the bridged DOT representation, while Polkadot’s native network remained technically unaffected. It also linked the case to wider bridge risks, where forged messages and weak verification checks remain common attack paths.
In addition, Hyperbridge said testing must happen on local forks only. Live infrastructure attacks, social engineering and third-party exploits are outside the program’s scope.
The HackenProof page also requires proof-of-concept submissions and lists rules against service disruption, personal data access, spam, DDoS testing and reports that rely only on theory. It says researchers must stay within scope and avoid public disclosure without approval.
Cross-chain use case remains active
Hyperbridge had already appeared in crypto.news coverage before the exploit. In May 2025, Enjin Blockchain used Hyperbridge on testnet to support cross-chain stablecoin transfers involving USDC and USDT from Ethereum and BNB Chain.
That earlier setup showed why bridge security matters. Users lock tokens on one chain and receive a matching version on another network. When proof checks fail, the risk can move from one contract into a wider cross-chain system. The new bounty places Hyperbridge’s code under wider review as the protocol works to reduce repeat failures.
