Hyperdrive Exploit Drains US$782K in Third Major Hyperliquid Security Breach

Hyperdrive, a lending protocol on the Hyperliquid blockchain, has reported losses of around US$782,000 (AU$1.19 million) after an exploit on 27 September drained two of its liquidity pools. Attackers extracted approximately 673,000 USDT0 stablecoins and 110,244 thBILL tokens from Hyperdrive’s Primary USDT0 Market and Treasury USDT Market.

Certik revealed that the attackers exploited a weakness in Hyperdrive’s router contract that permitted arbitrary calls, allowing them to repeatedly withdraw funds. Developers traced the root of the problem to operator permissions: users had given Hyperdrive’s Router excessive access, enabling it to interact freely with whitelisted contracts, a loophole that the attackers leveraged to drain positions.

The attackers then converted the stolen assets into BNB and ETH and transferred them off-chain. Hyperdrive quickly suspended markets, stating that the vulnerability had been fixed and that a plan was in place to compensate affected users, though no details have been disclosed.

Related: GreedyBear Hackers Steal $1M Using Malicious Firefox Extensions

Security Struggles Continue

The exploit adds to a string of damaging incidents across the Hyperliquid ecosystem, which has already endured two major manipulation attacks resulting in combined losses of US$16 million (AU$24.41 million) earlier in the year.

This includes a breach on 26 September when HyperVault, a separate Hyperliquid-based protocol, lost US$3.6 million (AU$5.49 million) in an attack suspected to be a rug pull. The funds were moved to Ethereum and laundered through Tornado Cash, after which the project’s website and social media disappeared.

These successive exploits have cast serious doubt on Hyperliquid’s security framework, shifting community perception from optimism about its speed and scale to alarm over its apparent vulnerability to attackers.

Related: Arthur Hayes Claims He Sold HYPE for $800K Profit but Says “Up Only” Ahead for Crypto