Hyperbridge lost $2.5 million on April 13, 2026 after an attacker exploited missing proof-to-request binding in the Merkle Mountain Range verification logic of the EthereumHost contract. A two-phase attack extracted roughly 245 ETH first, then minted approximately 1 billion bridged DOT tokens and dumped them into DEX liquidity. Initial loss estimates of $237,000 excluded the first phase entirely. Post-mortem: https://rekt.news/hyperbridge-rekt