Hyperliquid under scrutiny amid signs of North Korean hacker activity

avatar
Blockworks
2 days ago


This is a segment from the 0xResearch newsletter. To read full editions, subscribe.


“You either die a hero, or you live long enough to see yourself become the villain.” — Harvey Dent

For Hyperliquid, it took all of 25 days since its highly acclaimed airdrop to run into a bout of controversy.

It started when Taylor Monahan (@tayvano), a security researcher at MetaMask, sounded the alarm on a series of Hyperliquid transactions made from North Korea-tagged wallets. Based on Monahan’s data, the wallets have accrued a $701k loss from ETH perps positions.

It’s a meager amount for a state-sponsored hacker group. But what got people in an uproar was the revelation that North Korea hackers were actively familiarizing themselves with the Hyperliquid platform, presumably to launch an impending hack.

Hyperliquid chain’s highly centralized validator set of four made it extra vulnerable to a potential hack, Monahan claims.

There are no more than 4 validators and all run the same code, possibly collocated as well. Centralized infra, build systems, etc. maintained and accessed by unknown number of founders, c-levels, and engjneers who use the same devices to access said systems as they do to talk to…

— Tay 💖 (@tayvano_) December 23, 2024

Hyperliquid’s liquidity is locked in a lock-and-mint style bridge from Arbitrum, where Hyperliquid used to exist as a perps DEX application.

When Hyperliquid migrated to its own Tendermint-consensus PoS L1 chain in March 2024, the team retained the lock-and-mint style bridge from Arbitrum, which remains the only way to onboard onto Hyperliquid today.

Based on Dune, the deposit bridge has seen a record high net outflow of $114.7m in USDC liquidity in the past day, though that is still a fraction of the remaining $2.22b in TVL.

Source: Dune

Talks of a Hyperliquid hack are merely speculative at this time, but if one happened, here’s a rough sketch of how it would play out.

Everyone wanted Hyperliquid to respond to the allegations of an impending hack, so here it is.

TDLR: there is no exploit, all funds are safu. If a vulnerability is found, the team is always willing to listen as they have a bug bounty program. pic.twitter.com/VHYeUogvxs

— steven.hl (@stevenyuntcap) December 23, 2024

To successfully attack Hyperliquid’s bridge contract would require three out of its four validators to be compromised, as per a two-thirds quorum.

Should that happen, the natively minted USDC on Arbitrum could theoretically be frozen by Circle before the hackers were able to swap the stolen funds into an uncensorable asset like ETH.

That, however, requires Circle to act on issued court orders, a tedious and slow legal process that may offer the time sophisticated hackers need to execute an exit.

The hacker may instead choose to try and swap to USDC.e (Ethereum-native USDC tokens that were bridged to Arbitrum) onto the Ethereum L1.

“The only plausible path that would enable the Arbitrum security council as a line of defense would be if the hackers attempted to withdraw the funds through the canonical bridge, likely after swapping to ETH,” Matt Fiebach at Entropy Advisors told Blockworks.

“In this scenario, the elected Arbitrum Security would need to make the decision of whether effectively blocking this transfer was within their scope of ‘addressing critical risks associated with the Arbitrum protocol and its ecosystem’.”

Finally, it’s also worth noting that a hacker would have trouble finding the necessary liquidity venues to swap out of the stolen funds. $2 billion of liquidity would have to be spread across a variety of third-party bridges, which would cause massive slippages.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Source
Disclaimer: The content above is only the author's opinion which does not represent any position of Followin, and is not intended as, and shall not be understood or construed as, investment advice from Followin.
Like
1
Add to Favorites
1
Comments