Hyperliquid under scrutiny amid signs of North Korean hacker activity
Hyperliquid’s deposit bridge has seen a record net outflow of $114.7 million in USDC liquidity in the past day
CryptoFX/Shutterstock modified by Blockworks
This is a segment from the 0xResearch newsletter. To read full editions, subscribe.
“You either die a hero, or you live long enough to see yourself become the villain.” — Harvey Dent
For Hyperliquid, it took all of 25 days since its highly acclaimed airdrop to run into a bout of controversy.
It started when Taylor Monahan (@tayvano), a security researcher at MetaMask, sounded the alarm on a series of Hyperliquid transactions made from North Korea-tagged wallets. Based on Monahan’s data, the wallets have accrued a $701k loss from ETH perps positions.
It’s a meager amount for a state-sponsored hacker group. But what got people in an uproar was the revelation that North Korea hackers were actively familiarizing themselves with the Hyperliquid platform, presumably to launch an impending hack.
Hyperliquid chain’s highly centralized validator set of four made it extra vulnerable to a potential hack, Monahan claims.
Hyperliquid’s liquidity is locked in a lock-and-mint style bridge from Arbitrum, where Hyperliquid used to exist as a perps DEX application.
When Hyperliquid migrated to its own Tendermint-consensus PoS L1 chain in March 2024, the team retained the lock-and-mint style bridge from Arbitrum, which remains the only way to onboard onto Hyperliquid today.
Based on Dune, the deposit bridge has seen a record high net outflow of $114.7m in USDC liquidity in the past day, though that is still a fraction of the remaining $2.22b in TVL.
Talks of a Hyperliquid hack are merely speculative at this time, but if one happened, here’s a rough sketch of how it would play out.
To successfully attack Hyperliquid’s bridge contract would require three out of its four validators to be compromised, as per a two-thirds quorum.
Should that happen, the natively minted USDC on Arbitrum could theoretically be frozen by Circle before the hackers were able to swap the stolen funds into an uncensorable asset like ETH.
That, however, requires Circle to act on issued court orders, a tedious and slow legal process that may offer the time sophisticated hackers need to execute an exit.
The hacker may instead choose to try and swap to USDC.e (Ethereum-native USDC tokens that were bridged to Arbitrum) onto the Ethereum L1.
“The only plausible path that would enable the Arbitrum security council as a line of defense would be if the hackers attempted to withdraw the funds through the canonical bridge, likely after swapping to ETH,” Matt Fiebach at Entropy Advisors told Blockworks.
“In this scenario, the elected Arbitrum Security would need to make the decision of whether effectively blocking this transfer was within their scope of ‘addressing critical risks associated with the Arbitrum protocol and its ecosystem’.”
Finally, it’s also worth noting that a hacker would have trouble finding the necessary liquidity venues to swap out of the stolen funds. $2 billion of liquidity would have to be spread across a variety of third-party bridges, which would cause massive slippages.
Get the news in your inbox. Explore Blockworks newsletters:
- Blockworks Daily: The newsletter that helps thousands of investors understand crypto and the markets, by Byron Gilliam.
- Empire: Start your morning with the top news and analysis to inform your day in crypto.
- Forward Guidance: Reporting and analysis on the growing intersection of crypto and macroeconomics, policy and finance.
- 0xResearch: Alpha directly in your inbox. Market highlights, data, degen trade ideas, governance updates, token performance and more.
- Lightspeed: Built for Solana investors, developers and community members. The latest from one of crypto’s hottest networks.
- The Drop: For crypto collectors and traders, covering apps, games, memes and more.
