Hypr Network Exploit: Uncovering the $220K Bridge Hack

TL;DR

Hypr Network, utilizing OP Stack, experienced a significant exploit with a loss of approximately $220,000 due to a vulnerability in their deployment. OP Labs addressed the issue post-deployment, emphasizing community collaboration for enhanced security practices. Optimism Foundation advises using vetted releases amid increasing market interest in new DeFi opportunities.

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

The recent incident involving gaming-oriented L2 Hypr Network has raised concerns in the crypto community.

Shortly after its launch, the network suffered a significant loss of 2.57 million HYPR tokens, amounting to approximately $220,000, due to a bridge exploit.

The exploit was swiftly detected by a vigilant user, prompting the team to issue a cautionary message urging users to refrain from using the Hypr Network Bridge.

Initially, the team refrained from confirming the exploit, opting instead to emphasize the need for additional testing and audits on the bridge.

In a subsequent statement, the team sought to reassure stakeholders that the broader community of HYPR token holders remained unaffected. The losses were limited to just two specific addresses, corresponding to the only users who had conducted transactions via the bridge up to that point.

However, the token's value plummeted nearly 40% following the sale of 97 ETH, equivalent to approximately $220,000 at the time of reporting. However, the market has since rebounded, stabilizing the price.

This incident marks a departure from recent months' trends where bridges primarily lost funds due to compromised keys. It stands out as the first instance of a bridge hack resulting from exploited code since last autumn's BNB incident (discounting the Shibarium bridge's temporary malfunction in August).

Copying code can pose risks, particularly when developers fail to stay current with vulnerabilities in the original source.

Should developers of a forked codebase assume greater responsibility for communication?

Or does this situation suggest that Hypr was insufficiently vigilant?

Subscribe to Newsletter Bitcoin

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

The Hypr Network leverages the OP Stack, enabling developers to deploy fully functional Layer 2 solutions by forking Optimism as a foundational template.

According to the Hypr team's post-mortem analysis, they deployed using the latest version of the develop branch from the OP monorepo at the time of launch. Regrettably, this branch was not intended for production and harbored a critical vulnerability that had not yet been addressed.

For a detailed account, the team's comprehensive post-mortem report can be accessed here.

BlockSec outlined the vulnerability succinctly:

The attacker exploited the 'finalizeERC20Withdrawal' function by bypassing its checks through contract reinitialization, facilitated by the 'clearLegacySlot' modifier.

Exploiter Address 1: 0x5b8d598b354f5760b2a65f492154e7a3df46d1be

Exploiter Address 2: 0x3ea6ba6d3415e4dfd380516c799aafa94e420519

Attack Transaction: 0x51ce3d9c…

The exploiters received funding from the well-known platform FixedFloat. As of the latest update, the stolen ETH remains in the address 0x5b8d598b354f5760b2a65f492154e7a3df46d1be.

Subscribe to WAGMI

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

Composability, interoperability, and leveraging open-source code are foundational to many of DeFi's groundbreaking advancements.

However, they also introduce risks, as a bug in one protocol can potentially impact numerous others across the ecosystem.

Effective communication between development teams and staying informed about security discussions throughout the community are crucial for those utilizing forked code. As highlighted by BlockSec:

Note that the vulnerability was addressed by the OP team after the contract had already been deployed.

This incident highlights the critical need for the community to collaborate on improving the security patching process, a step that will undoubtedly yield collective benefits.

Hypr's post-mortem report indicates that, following consultations with the OP Labs team, they took the following steps:

[OP Labs] agreed to enhance their release and communication processes.

Furthermore, after confirming that other OP infrastructure remained secure, the Optimism Foundation emphasized:

"We encourage developers deploying projects in production to utilize releases approved by Optimism governance, which adhere to the security standards set by the Collective. We are also refining our communication processes for releases to provide clearer guidance for projects utilizing the OP Stack."

As always, being the first to integrate with a new ecosystem can offer significant advantages as an early adopter.

Following a period of subdued market activity, there is now a growing appetite to explore new opportunities driven by FOMO (Fear Of Missing Out) as market conditions improve once again.

The question remains: Are the potential rewards worth the inherent risks?

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]