**[Updated Pre-Proposal Discussion] DOT Recovery Loan to Hyperbridge Exploit Victims**

Summary

On April 13, 2026, Hyperbridge’s Token Gateway was exploited via a forged MMR proof (missing bounds check in HandlerV1, challengePeriod set to zero). Hyperbridge has confirmed $2.5M in total realized losses across Ethereum, Arbitrum, Base, and BNB Chain. However, the actual LP losses in the DeFi Singularity pools are estimated to be lower, approximately $1.5-1.8M, as the difference likely probably reflects native DOT drained from the Polkadot-side escrow by opportunistic actors (separate from the LP positions). All affected pools were part of the DeFi Singularity campaign (Referenda #1439), a 795,000 DOT treasury-funded initiative that actively recruited external LPs.

Hyperbridge’s proposed compensation is a BRIDGE token residual backstop with terms to be defined one year from the exploit. BRIDGE has lost over 92% of its value since TGE and has effectively no liquid market.

On April 16, 2026, Drift Protocol announced a $147.5M recovery package (Tether + partners) using a revenue-linked credit facility and transferable recovery tokens for their $295M exploit. That structure is a direct example how the Ecosystem can help out and gain massive reputation.

Why the Ecosystem Should Act

The affected LPs responded to an official Polkadot DAO campaign. Hyperbridge was the DAO-designated native bridge. The Web3 Foundation backed it as their inaugural funding initiative. The 795,000 DOT treasury allocation recruited these LPs into the exact positions that were destroyed.

Not acting sets a precedent that suppresses future DeFi participation: the ecosystem will spend Treasury funds to recruit liquidity, but if the endorsed product fails, users absorb 100% of the loss. A structured, repayable loan with strict safeguards demonstrates that ecosystem endorsement carries accountability, which strengthens, not weakens, Polkadot’s credibility for future DeFi growth.

Acting here is NOT a blanket bailout precedent. It is specific to a DAO-endorsed, treasury-funded campaign where the ecosystem actively recruited the users who were harmed. Unendorsed third-party protocol exploits would not qualify under the same logic, and that boundary will be explicit in any final proposal.

How the Proposal Works (5 Steps)

1. The Polkadot Treasury (or Web3 Foundation) provides a recovery loan in DOT directly to victims.

2. The loan is paid directly to verified affected DeFi Singularity LPs, NOT to Hyperbridge. Distribution is linear over 12 months (1/12 released monthly) to eliminate DOT sell pressure.

3. Claims are calculated as net loss only: capital deposited minus all earned vDOT rewards. All victims forfeit their earned rewards against the recovery amount. Recovery covers net loss only.

4. Hyperbridge/Polytope Labs assumes the full repayment obligation to the Treasury. Repayment runs separately and independently from the victim distribution. Victims do not wait for Hyperbridge to contribute first. These are two independent processes.

5. The Treasury gets its DOT back over time. Victims do not wait.

Claim Calculation: Net Loss Only

Recovery claims are calculated as: documented capital deposited, minus all vDOT rewards earned during the DeFi Singularity campaign. This structure ensures the Treasury is not covering losses already offset by yield.

The exact amount will be determined on the basis of a verified pre-exploit snapshot across all four affected chains. This will be specified precisely before any formal referendum is submitted.

Estimated Recovery Amount

Based on preliminary estimates: approximately $1.5-1.8M in total LP losses, minus earned vDOT rewards. The exact amount will be determined on the basis of a verified pre-exploit snapshot across all four affected chains. The actual Treasury loan amount could be significantly below this range depending on the final accounting. This will be specified precisely before any formal referendum is submitted.

Distribution to Victims: 12-Month Linear Vesting

The loan is distributed to victims over a 12-month linear vesting period (1/12 released monthly). Even at the upper estimate of $1.8M total (before reward deduction), maximum monthly distribution would be approximately $150K. This represents a negligible fraction of DOT’s daily trading volume, which regularly exceeds $100M across exchanges. DOT has a circulating supply of 2.2 billion tokens. This distribution creates zero systemic risk or sell pressure.

Repayment to Treasury: Hyperbridge’s Obligation

Repayment to the Treasury runs separately and independently from the victim distribution. Hyperbridge/Polytope Labs assumes the full repayment obligation from the following streams:

1. Bridge fees from Intent Gateway (currently operational) and Token Gateway (post-audit relaunch)

2. BRIDGE token treasury distributions (35% of total supply held in protocol treasury)

3. All Binance recovery proceeds (Hyperbridge has stated that a significant portion of exploited funds was traced to Binance)

4. Outstanding vDOT rewards from the DeFi Singularity campaign (already approved through OpenGov but not yet distributed)

5. Unspent DeFi Singularity campaign allocation (the incentivized pools no longer exist)

6. Any direct Polytope Labs contribution proportional to what they can sustain without ceasing operations

Repayment progress is tracked on-chain and reported to the community. If recovery from Binance or other streams resolves quickly, repayment could be completed in months. If it takes longer, bridge fee revenue and BRIDGE treasury distributions continue until the loan is fully repaid.

Hyperbridge’s Revenue Capacity for Repayment

Hyperbridge has publicly reported the following operational metrics:

• Over $400 million in cumulative processed volume as of February 2026

• 14 connected networks including Ethereum, Arbitrum, Base, BNB Chain, Optimism, and Polygon

• Ranked 5th most active bridge by daily addresses on Token Terminal (November 2025)

• 59,000+ cross-chain messages processed, saving a cumulative 16.9 trillion gas units

• Intent Gateway launched September 2025 and continues to operate normally (unaffected by the exploit)

Why Direct-to-Victims, Not Via Hyperbridge

Routing funds through Hyperbridge introduces dependency on a team that experienced a critical security failure. Direct Treasury-to-victim distribution removes counterparty risk. Hyperbridge’s obligation is to repay the Treasury over time, not to manage or distribute victim funds.

Why a Loan, Not a Grant

• Cost-neutral to the Treasury when repayment is completed

• Multiple independent repayment streams reduce default risk

• 12-month linear vesting eliminates sell pressure concerns

• Reward forfeiture ensures no windfall for victims beyond net loss recovery

• Consistent with existing ecosystem commitments: W3F seed investment (their “inaugural funding initiative”), DAO designation as native bridge, treasury-funded DeFi Singularity campaign

• Sample Case: Drift/Tether recovery (April 16, 2026), Bitfinex BFX model (2016, fully repaid in 8 months)

What This Does NOT Ask For

• No new DOT emission (compliant with March 2026 supply cap)

• No grant (repayable loan with on-chain repayment tracking)

• No windfall (reward forfeiture = net loss only)

• No precedent for bailing out every hack (specific to DAO-endorsed, treasury-funded campaigns only)

• No sell pressure (12-month linear vesting, ~$150K/month max vs $100M+ daily DOT volume)

Next Steps

1. Community discussion on this framework

2. Await Hyperbridge post-mortem with final on-chain accounting to determine exact LP losses

3. Hyperbridge/Polytope Labs to formally accept repayment obligation (we have asked the team to take ownership of this proposal and submit it as their own governance proposal; if they do not engage, the affected LP community will bring it forward)

4. Web3 Foundation engagement as lead investor

5. Bifrost engagement on outstanding vDOT distribution and unspent Singularity allocation

6. Formal OpenGov referendum once framework terms are agreed and exact figures confirmed

This is a pre-proposal for discussion. We welcome feedback from anyone with OpenGov experience, from Polytope Labs and W3F directly, and from other affected LPs.

References: Hyperbridge Security Update (April 13) | Hyperbridge Recovery Update (April 16) | Drift/Tether Recovery Announcement (April 16) | Hyperbridge 2025 Recap (operational metrics)

hi, thank you for coming forward with this idea.

I am not sure if voters will find it agreeable, but I think it is sophisticated enough to at least consider it and think it through.

Some hygiene questions:

• Are you associated with Hyperbridge?
• If not, have you reached out to the Hyperbridge team to discuss the idea with them?

Sorry you’re in this position. I’d like to hear directly from the Hyperbridge team on this, since it’s their responsibility to address, not the ecosystem or treasury. If there are known issues or weaknesses, they should acknowledge them and share a remediation plan. to trust or not to trust that is the question…

Hello team,

Thank you for sharing this proposal. I support finding a fair solution for the victims, but before supporting any Treasury involvement, I believe a few points need to be clarified in order to protect DOT holders.

First, we need a clear answer to this question: is the Treasury helping the victims, or indirectly bailing out Hyperbridge? If the Treasury provides funds upfront while repayment depends on Hyperbridge/Polytope Labs, then the risk is effectively being shifted from the project to DOT holders.

That is why the key question is: what is the legal repayment obligation of Hyperbridge/Polytope Labs? Will there be a binding legal structure, clear repayment commitments, and an enforceable mechanism if repayment does not happen as planned?

The proposal itself also notes that Web3 Foundation was an early backer, and that Polytope Labs still has venture backing and around four years of runway. In my view, if the goal is to protect DOT holders, the order of loss absorption should be: equity / insiders / token treasury / future fees / recovery proceeds before Treasury, rather than placing Treasury in a first-loss position.

If Treasury participation is still considered necessary, I think more cautious structures should be explored, for example:

- Treasury only provides a partial guarantee, instead of taking the full risk.

- Treasury provides a bridge loan with milestone-based disbursement, tied to clear conditions around asset recovery, internal/backer capital contributions, and repayment progress.

In short, I am not against supporting the victims, but the proposal should clearly demonstrate that Treasury is not being asked to take risk ahead of insiders and existing investors.

Best regards,

If Hyperbridge previously raised around $5.35M, the first question is where that risk buffer went. Why couldn’t the project absorb the loss using its own resources first, instead of immediately turning to the Polkadot Treasury?

Right now, this “loan” looks more like shifting application-layer losses onto the broader ecosystem. Without clear risk rules or repayment guarantees, this could easily set a precedent for implicit bailout expectations.

Supporting users is reasonable, but the boundary of responsibility still needs to be clearly defined.

Hi, another victim here.

Many of us have reached out to the Hyperbridge team but we are only met with responses from their Discord mod. We would love to engage with Hyperbridge team directly as well, but public forums like this seem to be the best way to indirectly communicate with them.

The official Hyperbridge recovery plan announced yesterday by the team Update on Recovery Efforts and Next Steps is simply as follows:

1. They will try to recover the funds from the hacker
2. If that’s not possible, they will allocate $BRIDGE to cover for the difference, one year from now.

That is to say.. in the likely case that the funds are not recovered, Hyperbridge/Polytope currently assumes no responsibility besides promising tokens that are currently unknown in value a year from now, putting victims in a perilous position.

Is anyone here able to get in contact with Hyperbridge directly? For the loan proposal to be viable, it would need a repayment commitment/guarantee from the Hyperbridge team.

Thank you for your message! No, I am not associated with Hyperbridge. I am an affected LP. Yes, I have reached out to Polytope Labs directly at ops@polytope.technology and asked them to take ownership of this proposal and submit it themselves as a formal governance proposal. I have also contacted the Web3 Foundation separately. If Hyperbridge engages and takes the lead on this, that is the preferred outcome. Only if they do not act would I, together with other affected LPs, bring this to a vote ourselves.

Participants in Hyperbridge weren’t passive victims. They were actively earning high APY from the DOT LP incentives, and they were fully aware — or at least should have been — of the risks involved, especially bridge risk, which is one of the most well-known weak points in DeFi.

You can’t take the rewards when things go well, and then expect the entire ecosystem to absorb the losses when things go wrong. That’s not user protection — that’s just risk externalization.

If this proposal is approved, it sets a dangerous precedent: any future DeFi exploit could easily turn into a Treasury bailout.

At a minimum, losses should be handled in this order:

• First, the protocol’s own reserves and team resources

• Then, the participants who willingly took on the risk

Otherwise, we’re not building a resilient system — we’re building an expectation of bailouts.

Thank you for raising these points. They deserve a direct response.

On the precedent concern: We understand why this is raised, and we want to address it carefully. The relevant distinction is whether the ecosystem actively recruited the users who were harmed. In this case, the DAO funded a 795,000 DOT campaign that specifically targeted external LPs to deposit into these exact pools. That is fundamentally different from a random third-party protocol exploit. The boundary should be explicit in any final proposal: ecosystem-endorsed, treasury-funded campaigns carry ecosystem accountability. Unendorsed products do not.

We would also note that not acting here sets its own precedent. It tells every future LP considering a Polkadot DeFi initiative: the ecosystem will spend Treasury funds to recruit your capital, but if the endorsed product fails, you absorb 100% of the loss. That message will suppress DeFi participation in Polkadot far more than a structured, repayable loan ever could.

On rewards: This is a fair concern. We will adjust the proposal so that all earned vDOT rewards are deducted from recovery claims. If an LP earned $5,000 in vDOT rewards over 8 months, their claim is reduced by $5,000. Net loss only. The Treasury should not cover losses that were already offset by yield.

On risk awareness: LPs accepted standard DeFi risks, absolutely. Impermanent loss, smart contract risk, market volatility. What they did not accept is a missing bounds check in a Solidity function combined with a challengePeriod set to zero. That is not “bridge risk” in the abstract. That is an implementation failure that any standard audit cycle should have caught. There is a meaningful difference between accepting market risk and being exposed to negligent engineering in a product the DAO itself designated as the native bridge.

On the loss absorption order: We fully agree, and the updated proposal already reflects this:

1. Polytope Labs / insider capital first
2. BRIDGE token treasury
3. Binance recovery + native DOT escrow + vDOT
4. Bridge fee revenue over time
5. Treasury loan only for the verified gap after 1-4

The Treasury is last in line, not first. And it is a loan that gets repaid, not a grant.

Thank you for the constructive feedback. These points are making the proposal stronger.

Thank you, these are important questions.

On the $5.35M: We do believe Polytope Labs should make a meaningful contribution as part of the recovery framework, proportional to what they can sustain without ceasing operations. The updated proposal reflects this: Polytope contributes what they can such as future bridging fees, BRIDGE token treasury, remaning vDOT and victims pledge Binance recovery of hacked funds.

On “shifting losses to the ecosystem”: This is a valid concern if the Treasury were providing a grant. It is not. This is a repayable loan with six identified repayment streams. If the framing is that any Treasury involvement equals a bailout, then by that logic the Treasury should never have funded the 795,000 DOT DeFi Singularity campaign that recruited these LPs in the first place. The ecosystem chose to actively bring these users in. The question is whether it also accepts a role in the resolution when the endorsed product fails.

On repayment guarantees: We welcome suggestions on how to strengthen enforcement. These details should be worked out with Hyperbridge and the community before any referendum is submitted.

On the boundary of responsibility: We fully agree this needs to be explicit. The proposed boundary is: ecosystem-endorsed, treasury-funded campaigns where the DAO actively recruited external users carry ecosystem accountability. Unendorsed third-party protocols do not. This is not a blanket precedent. It is a specific response to a specific set of facts.

Thank you for the empathy. We agree that primary responsibility sits with Hyperbridge, and we have asked their team directly to take ownership of this process and submit their own formal governance proposal. We hope they will.

The reason the ecosystem is part of this conversation is that these were not random third-party pools. They were created through the DeFi Singularity campaign (Referenda #1439), funded with 795,000 DOT from the Treasury, with Hyperbridge designated as the native bridge by the DAO. The ecosystem endorsed, funded, and promoted the product that failed. That does not shift the blame away from Hyperbridge’s engineering failure, but it does make the broader ecosystem a stakeholder in finding a resolution.

On trust: the proposed loan structure is specifically designed so that trust is not required. The Treasury lends, Hyperbridge has a binding repayment obligation through multiple streams, and the Treasury gets its DOT back but we deduct received vDOT returns since the campaign started. If Hyperbridge delivers, trust is rebuilt through action. If they don’t, the collateral streams provide fallback. That is “trust but verify” in practice.

I am also one of the users who suffered losses from the hack. What I want to say is:

• Besides those participating in the LP program, there are users who only bought or bridged DOT and left it passively, and they should be compensated similarly to the LPs.
• I know that from the beginning, the W3F invested in Hyperbridge, considering it a native bridge protocol. Polkadot’s fan page on X also promoted Hyperbridge, and even Gavin Wood praised Hyperbridge on his social media account. Without all these events, I would never have put my money in Hyperbridge. I’m certain that Parity and the W3F must bear some responsibility.
• The 12-month repayment period for $1.5M USD is impossible for Hyperbridge; it should be extended based on their actual profits.
• The majority of users who lost assets are loyal DOT holders; they certainly wouldn’t sell DOT if they were compensated. I myself suffered significant losses. If I didn’t believe in DOT’s vision, I would have sold it long ago instead of holding it until the current price of $1. If this issue isn’t resolved smoothly, Polkadot will suffer huge losses. No one will care about DOT’s technology or how good its vision is anymore.
• Hope we will find the way to resolve this significant issue.

Summary of Proposal Updates

Based on the constructive community feedback received, the following changes have been incorporated into the revised proposal:

• LP losses estimated at $1.5-1.8M, separate from the $2.5M headline which includes native DOT escrow drains unrelated to LP positions. Exact figures to be determined on the basis of a verified pre-exploit snapshot across all four chains.

• All earned vDOT rewards will be deducted from recovery claims. Net loss only, no windfall.

• Mechanism clarified: Treasury provides loan directly to victims over 12 months (1/12 monthly). Hyperbridge repays the Treasury separately over time through bridge fees, BRIDGE token treasury, Binance recovery, vDOT, and Polytope Labs contribution. Two independent processes.

Hyperbridge revenue capacity documented: $400M cumulative volume, 14 networks, Intent Gateway operational.

• At $1.8M upper estimate (before reward deduction), maximum monthly distribution is ~$150K, negligible against DOT’s $100M+ daily volume.

• We have asked the Hyperbridge team to take ownership and submit this as their own governance proposal. If they do not engage, the affected LP community will bring it forward.

Privatising the upside and socialising the downside – seems good lmao.

I’m all for trying to recover funds via law enforcement or whatever – more power to you. Or Hyperbridge trying to make people whole – but personally, I disagree with the Polkadot treasury bailing out people who were primarily using Hyperbridge to capitalize on high APYs.

When you use any bridge or DeFi product, you, the user, the one who signs the transactions, should be aware of the risks and accept some level of responsibility if it goes tits up.

I know people in this thread will disagree with me, of course.

Thanks but you have to consider the following:

On “privatising the upside”: We have updated the proposal so that all earned vDOT rewards are deducted from claims. Net loss only. Nobody is keeping yield and also asking for recovery. That concern is addressed.

On “socialising the downside”: This is a loan, not a bailout. The Treasury lends DOT to victims, Hyperbridge repays the Treasury over time through bridge fees, BRIDGE token treasury, Binance recovery, and other streams. If repayment works, the Treasury loses nothing. The downside is not socialised, it is temporarily fronted and then returned.

On user responsibility: LPs accepted DeFi risk. Impermanent loss, market volatility, smart contract risk. What they did not accept is a missing bounds check combined with a challengePeriod set to zero in the official DAO-designated native bridge, promoted through a 795,000 DOT treasury-funded campaign. There is a difference between “I signed a transaction on a random protocol” and “I responded to an official Polkadot DAO recruitment campaign into an ecosystem-endorsed product.” The ecosystem actively brought these users in.

If the position is that users should bear 100% of the loss when a DAO-endorsed, treasury-funded product fails due to negligent engineering, that is a coherent position. But it has consequences: no rational LP will participate in the next Polkadot DeFi campaign. That is a cost the ecosystem should weigh against a repayable loan.

I would argue that this is extremely optimistic, borderline unrealistic, that these funds will end up being recouped by the Polkadot treasury.

As per your comment above my initial one, it seems you are still waiting to hear back from the Hyperbridge/Polytope labs team – so the main form of recovery is the Hyperbridge treasury and repayments, which seem not to have been agreed upon by the team or their parachain’s token holders? – so I am very skeptical

Let’s see how the vote goes, I guess