Call to Polkadot Community and Web3 Foundation to distantiate from Hyperbridge Team

After the terrible and damaging facts around the Hyperbridge hack, as for example the actual quantity shot up to >$2.5M lost funds, now the Hyperbridge team is threatening with criminal report to EVERY USER who interacted with their faulty bridge after the hack:

As if this team has not damaged enough the Polkadot brand and its community (Remember this is a team who was bragging of being unhackable in public 3 weeks ago).

I want to make a serious call to this community and the Web3Foundation to:

• remove Hyperbridge team from any official and non-official Polkadot related entity, team, community or body
• un-invite Hyperbridge team from any community driven event or inititative.
• Make Hyperbridge team persona non-grate in the Polkadot ecosystem
• Publicly state that users should not interact with products / protocols develop by Hyperbridge team.

Contact me here or at truth_warrior1992@gmail.com for proper partake on this inititative.

Hello. I would like to clarify the position:

• The community accepted and approved the DeFi Singularity program
  https://polkadot.subsquare.io/referenda/1439, where HyperBridge is designated as the official bridge of this program.

• On the official website https://wiki.polkadot.com/learn/learn-hyperbridge/, the bridge’s security is emphasized as a key advantage.

• Given that the HyperBridge team is now taking steps to recover funds that were withdrawn by “dishonest” users due to a technical incident, calls to “boycott” the partner look, to say the least, inconsistent. This goes against previously adopted community decisions.

I hope that discussion participants will adhere to a constructive approach and respect the collective (their own) decisions made within the network’s governance framework

This post pulls an unrelated issue into the middle of an ongoing recovery process and risks derailing it.

The voluntary return request is probably standard practice in every post-exploit situation. Hyperbridge identified wallets that executed arbitrage against distorted pool prices during the exploit and asked those users to return funds that belong to the drained LPs. Calling that “threatening every user who interacted with the bridge” misrepresents what is happening. Regular users who simply used the bridge normally are not targeted.

More importantly, calls to remove Hyperbridge from the Polkadot ecosystem right now directly undermine the recovery effort. LPs lost $2.5M in a campaign that Polkadot, the Web3 Foundation, and Hyperbridge cooperated to create, endorse, and promote. A constructive recovery requires all three parties at the table. Cutting Hyperbridge off would eliminate the primary source of repayment (bridge fees, BRIDGE treasury, Binance recovery coordination) and leave affected LPs with nothing.

While there is no blame on Polkadot or the Web3 Foundation for the underlying engineering failure at Hyperbridge, it is important to recognize that Hyperbridge is not a third-party protocol that happened to build on Polkadot. The Web3 Foundation itself documents Hyperbridge as core Polkadot infrastructure on Hyperbridge Overview - Polkadot Wiki (Copyright Web3 Foundation). The Wiki describes Hyperbridge as providing “Full Node Security in cross-chain bridges” and guaranteeing “swift, secure, and reliable execution of all cryptographic operations.” W3F led Hyperbridge’s seed round as its inaugural funding initiative. W3F’s CEO publicly stated Hyperbridge “embodies the highest standards of security.” The DAO designated it as the native bridge and allocated 795,000 DOT to recruit LPs into its pools.

Why the Ecosystem Should Act

LPs responded to an official Polkadot DAO campaign. The ecosystem endorsed, funded, promoted, and documented this protocol. Not acting sets the precedent that “the ecosystem will spend Treasury funds to recruit your capital, endorse the product, document it as official infrastructure, and call it the highest standards of security, but if it fails you are on your own.” That precedent suppresses future DeFi participation for years. Acting here is NOT a blanket bailout. It is specific to DAO-endorsed, treasury-funded campaigns where the ecosystem actively recruited the users who were harmed. That boundary is explicit.

Responsibility should be taken, communication should improve, accountability should be real. But that happens through a structured recovery framework, not through ecosystem excommunication that conveniently ensures victims never get made whole.

A governance pre-proposal for a structured recovery loan is live on the Polkadot Forum. That is where this conversation belongs.

What do you mean by “dishonest users”? Perhaps I am too web3-idealistic but these users simply interacted with a smart contract as per the rules and code of the contract. What is dishonest about that? Most likely, they didn’t even know the hack happened.

Don’t get me wrong, if I was one of these users and suddenly get an unexpected large amount of DOT in my swap, I would probably check what is going on and return (part of) the DOT in good faith. But we are talking here that Hyperbridge is threatening with law enforcenement against these users, treating them like criminals. That is totally unacceptable behaviour from a team which was curated from web3 standars (don’t trust, verify?). Regardless of whatever these users did, Hyperbridge team has crossed SEVERAL red lines.

You cannot keep someone else’s money that you find on the street — you have to return it to the owner. This is a law, one way or another, written in all civilized countries. Hyperbridge does not claim that everyone who benefited from the hack broke the law. It emphasizes that this might have been done inadvertently. ‘The money must be returned.’ I believe law enforcement agencies are far more competent in these legal matters than we are. The current ‘Wild West’ situation in the crypto industry does not imply complete legal nihilism. And your initiative, in particular, could create a negative attitude toward the Polkadot ecosystem, including in the eyes of future users and investors (I’ve made these arguments above). Without fair protection of capital, there will be no investment. "

According to this logic, you could go as far as to say that the hacker didn’t break any law either…

let’s not digress from my original point here, this quote of yours comes very handy to get back on it:

your initiative, in particular, could create a negative attitude toward the Polkadot ecosystem, including in the eyes of future users and investors

The point of my post is exactly the opposite: My position is that having Hyperbridge in the ecosystem is creating (has already, in fact) a negative attitude toward Polkadot, including future users and investors. If you check the replies to the X post I linked above you will see people are associating the hack with Polkadot and the terrible management by the team with our community.

I want to be able to say that it was a third party protocol when people confront me with “Wasn’t Polkadot hacked?”. And MORE IMPORTANTLY, I want to be able to say “that team is not related to Polkadot ecosystem nor community” when people confront me with “but isn’t Hyperbridge supported/curated by Polkadot?”

Ethereum suffered a billion hacks from hundreds of protocols and bridges, for billion of dollars.
Ethereum is associated with hacks too.
Ethereum is still the number 1 chain.

Here we’re talking about 2.5M$ maybe.
Nomad was 180M$ on Moonbeam.
Multichain was at least 90M$ in total on Moonbeam and other chains.
KelpDAO is a 290M$ exploit and systemic for DeFi. Do you want to ban Aave and Lido from the whole Ethereum community because they didn’t protect their users with lending/borrow limits or because their vault strategies were not secured in case of a hack on a given asset ?

There’s no need to build up a drama considering the amount.
If Polkadot cannot recover from this, that’s the issue.

Hyperbridge is the good bridge design, using crypto proofs, not trustees, unfortunately there was this MMR exploit, that may be part of native Polkadot code (there’s some discussions about this specific point).
Hyperbridge team didn’t act at any moment in bad faith, they thought their solution was robust enough (like any other serious team, they had audits on their code.
Hyperbridge is one of the greatest use case for the Polkadot infra and could use many cores in the future.

So, there’s no need to draw some quick conclusions and ban them from the eco like you are asking for. The recovery process is in progress.
Unfortunately, hacks happen yes. Even on audited code.
Could the situation have been managed differently ? Probably (with a bug bounty).
Does it suck for people that suffer the exploit ? Of course. Like any hack.

Your initial assumption only works if there are any evidence that they acted fraudulently or in bad faith, which is not the case. If so, then just produce evidences.

Force to anyone impacted .

The Hyperbridge incident is prompting the right conversation about which projects the ecosystem should continue supporting and on what terms. I want to extend that conversation, because Hyperbridge is not the only project exhibiting a signature that correlates with eventual compromise, and the broader question deserves attention while the window for acting on it is open.

Standing:

I was an Immunefi whitehat and participated in multiple programs, including Hydration’s. I’m no longer active on Immunefi for reasons I’ll document separately; those reasons are not relevant to what I’m raising here. Immunefi’s Terms of Service permit public disclosure when a program violates its service level agreements, and what I’m describing below is within that scope.

The specific claim:

Hydration violated Immunefi’s 96-hour acknowledgment SLA on a report I submitted. The subsequent SLAs after acknowledgement are "verdict of triage (valid or invalid) - 7 days, and payment -7 days. Hydration breached all 3. The violation was sustained for weeks. I eventually withdrew the report because continued engagement with a non-responsive program was not productive use of my time. I had draft reports that were waiting on standy and were not submitted, which is standard practice to not flood the program but instead wait for acknowledgement of the first report before moving forward.

I am not describing the contents of the report, the specific vulnerability, or making any claim about what was or was not exploitable in Hydration’s code, or that the program confirmed the report was valid or not. What I’m describing is the program’s behavior toward a researcher operating in good faith through the platform’s intended channels.

The pattern:

Sustained non-engagement by a bounty program is not neutral. It correlates with eventual compromise, and this is not a theoretical correlation.

Vercel exhibited the same signature prior to their recent critical breach: in-scope codebase, active bounty program, reports that sat unaddressed. I watched that pattern play out and called it at the time. The breach arrived on schedule. I am not claiming that every non-responsive program is breached, and I am not claiming any specific vulnerability exists in Hydration’s codebase today. I am claiming that the pattern itself is a security signal that ecosystem stakeholders should weigh, and that the signal is currently present.

Why this matters beyond Hydration specifically

Hydration received protocol inflation as yield. That funding relationship is different from an unaffiliated project running a bounty program as standard due diligence. When ecosystem-level resources flow to a project, that project’s security posture becomes an ecosystem-level concern, and the standards applied should reflect that.

A project that benefits from treasury or protocol-level support should at minimum meet the disclosure standards that independent projects meet voluntarily. When it doesn’t, the absence is a data point the ecosystem should surface and act on.

What I’m asking the Fellowship, Web3F, and treasury stakeholders to consider:

I’m not asking that any specific project be cut off. Im stating concern because I am vested in the healthy stewardship of the Polkadot ecosystem both technically and economically.

If that is indeed the case, then this is a completely natural reaction from people. Have you even studied these links to official Polkadot sources?

My argument contains facts and logical, reasoned conclusions — and what about yours? Other than your ‘I want’ argument?
The ‘crisis of responsibility’ does not increase investment and reputational attractiveness.