This is a segment from the 0xResearch newsletter. To read complete editions, subscribe.
“Either you die a hero or you live long enough to become a villain.” —Harvey Dent
For Hyperliquid, it took 25 days from its acclaimed air launch to be met with an onslaught of controversy.
It all started when Taylor Monahan (@tayvano), a security researcher at MetaMask, raised the alarm about a series of hyper-liquid transactions made from North Korea-tagged wallets. According to Monahan data, the wallets have accumulated a loss of $701 thousand from the criminals’ ETH positions.
That’s a meager amount for a state-sponsored hacker group. But what sent people into an uproar was the revelation that North Korean hackers were actively familiarizing themselves with the Hyperliquid platform, presumably to launch an imminent attack.
The Hyperliquid chain’s set of four highly centralized validators made it more vulnerable to a potential attack, Monahan claims.
Hyperliquid’s liquidity is locked in an Arbitrum lock-and-mint style bridge, where Hyperliquid used to exist as a rogue DEX application.
When Hyperliquid migrated to its own Tendermint consensus L1 PoS chain in March 2024, the team retained Arbitrum’s lock-and-mint style bridge, which remains the only way to join Hyperliquid today.
According to Dune, the deposit bridge has seen a record net outflow of $114.7 million in USDC liquidity in the past day, although that is still a fraction of the remaining $2.22 billion in TVL.
Talk of a Hyperliquid hack is purely speculative at this point, but if it were to happen, here’s an outline of how it would play out.
Successfully attacking Hyperliquid’s bridge contract would require three of its four validators to be compromised, based on a two-thirds quorum.
If that were to happen, Circle could, in theory, freeze the natively minted USDC on Arbitrum before the hackers could exchange the stolen funds for a non-reprehensible asset like ETH.
That, however, requires Circle to act on issued court orders, a tedious and time-consuming legal process that can provide the time sophisticated hackers need to execute an exit.
Instead, the hacker may choose to try to convert USDC.e (Ethereum’s native USDC tokens that were connected to Arbitrum) to the Ethereum L1.
“The only plausible path that would enable the Arbitrum security council as a line of defense would be if hackers attempted to withdraw funds through the canonical bridge, likely after switching to ETH,” Matt Fiebach of Entropy Advisors told Blockworks.
“In this scenario, the chosen Arbitrum Security would have to make the decision whether effectively blocking this transfer was within its scope to ‘address critical risks associated with the Arbitrum protocol and its ecosystem.'”
Finally, it is also worth noting that a hacker would have trouble finding the liquidity venues needed to exchange the stolen funds. $2 billion of liquidity would have to be spread across a variety of third-party bridges, causing massive diversions.
Start your day with the best crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.
Explore the growing intersection between crypto, macroeconomics, policy, and finance with Ben Strack, Casey Wagner, and Felix Jauvin. Subscribe to the Forward Guidance newsletter.
Get alpha straight to your inbox with the 0xResearch newsletter: market highlights, charts, degenerative trading ideas, governance updates and more.
The Lightspeed newsletter delivers all things Solana, delivered to your inbox every day. Subscribe to Solana’s daily news from Jack Kubinec and Jeff Albus.
Fountain:
