Hyperliquid under scrutiny amid signs of North Korean hacker activity

Hyperliquid’s deposit bridge has seen a record net outflow of $114.7 million in USDC liquidity in the past day

article-image

CryptoFX/Shutterstock modified by Blockworks

share


This is a segment from the 0xResearch newsletter. To read full editions, subscribe.


“You either die a hero, or you live long enough to see yourself become the villain.” — Harvey Dent

For Hyperliquid, it took all of 25 days since its highly acclaimed airdrop to run into a bout of controversy.

It started when Taylor Monahan (@tayvano), a security researcher at MetaMask, sounded the alarm on a series of Hyperliquid transactions made from North Korea-tagged wallets. Based on Monahan’s data, the wallets have accrued a $701k loss from ETH perps positions.

It’s a meager amount for a state-sponsored hacker group. But what got people in an uproar was the revelation that North Korea hackers were actively familiarizing themselves with the Hyperliquid platform, presumably to launch an impending hack.

Hyperliquid chain’s highly centralized validator set of four made it extra vulnerable to a potential hack, Monahan claims.

Loading Tweet..

Hyperliquid’s liquidity is locked in a lock-and-mint style bridge from Arbitrum, where Hyperliquid used to exist as a perps DEX application.

When Hyperliquid migrated to its own Tendermint-consensus PoS L1 chain in March 2024, the team retained the lock-and-mint style bridge from Arbitrum, which remains the only way to onboard onto Hyperliquid today.

Based on Dune, the deposit bridge has seen a record high net outflow of $114.7m in USDC liquidity in the past day, though that is still a fraction of the remaining $2.22b in TVL.

Source: Dune

Talks of a Hyperliquid hack are merely speculative at this time, but if one happened, here’s a rough sketch of how it would play out.

Loading Tweet..

To successfully attack Hyperliquid’s bridge contract would require three out of its four validators to be compromised, as per a two-thirds quorum.

Should that happen, the natively minted USDC on Arbitrum could theoretically be frozen by Circle before the hackers were able to swap the stolen funds into an uncensorable asset like ETH.

That, however, requires Circle to act on issued court orders, a tedious and slow legal process that may offer the time sophisticated hackers need to execute an exit.

The hacker may instead choose to try and swap to USDC.e (Ethereum-native USDC tokens that were bridged to Arbitrum) onto the Ethereum L1.

“The only plausible path that would enable the Arbitrum security council as a line of defense would be if the hackers attempted to withdraw the funds through the canonical bridge, likely after swapping to ETH,” Matt Fiebach at Entropy Advisors told Blockworks.

“In this scenario, the elected Arbitrum Security would need to make the decision of whether effectively blocking this transfer was within their scope of ‘addressing critical risks associated with the Arbitrum protocol and its ecosystem’.”

Finally, it’s also worth noting that a hacker would have trouble finding the necessary liquidity venues to swap out of the stolen funds. $2 billion of liquidity would have to be spread across a variety of third-party bridges, which would cause massive slippages.


Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Explore the growing intersection between crypto, macroeconomics, policy and finance with Ben Strack, Casey Wagner and Felix Jauvin. Subscribe to the Forward Guidance newsletter.

Get alpha directly in your inbox with the 0xResearch newsletter — market highlights, charts, degen trade ideas, governance updates, and more.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.

Tags

Upcoming Events

Javits Center North | 445 11th Ave

Tues - Thurs, March 18 - 20, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

recent research

Research Report Templates.jpg

Research

In this report, each analyst on the Blockworks Research team lays out their highest conviction thesis for 2025.

article-image

ETH’s been watching from the sidelines as bitcoin and solana take off

article-image

Welch has not posted or uploaded anywhere online since the incident

article-image

One research associate is potentially eyeing February or March for ETH to hit a new high

article-image

Going into an FOMC meeting, a constellation of factors come together to affect the event’s price outcome

article-image

The banking giant’s new permissioned layer-2 points to Ethereum’s growing role in TradFi

article-image

Altcoins offer regular investors a “more even playing field” than the stock market does