HYPERDRIVE

DESCRIPTION OF EVENTS

HyperDrive is Hyperliquid's premier stablecoin money market, designed as the core infrastructure for making everything on the HyperCore ecosystem more liquid. The platform aims to be the cornerstone of the fast-growing stablecoin market, which is expected to become one of the largest sectors in crypto. With a focus on sustainable yields, HyperDrive allows users to supply stablecoins for lending, stake $HYPE for rewards, and use Hyperliquid's proprietary strategies, such as the Hyperliquidity Provider (HLP) vault, to generate returns. These strategies ensure that yields are driven by sound, sustainable mechanics, addressing the common issue of declining DeFi yields that plagued the market in 2022.

The stablecoin market has seen explosive growth, with assets like USDC, USDT0, and USDe now exceeding $243 billion in total supply. HyperDrive was built to capitalize on this trend, leveraging the rise of stablecoins in decentralized finance (DeFi) for various uses, from remittances to protecting against hyperinflation. However, the market's early success was marred by unsustainable yields, prompting HyperDrive to focus on long-term, sustainable growth solutions. By using innovative vaults and collateral strategies, such as tokenizing HyperCore vaults and offering managed yield and looping strategies, HyperDrive seeks to transform stablecoin yields into a stable, reliable revenue stream for users.

Looking ahead, HyperDrive envisions becoming the default infrastructure for yield generation in the crypto space. Every crypto wallet is expected to hold stablecoins, which will continuously earn, borrow, and compound through the platform. As Hyperliquid continues to grow, HyperDrive will integrate more stablecoins, tokenization protocols, vaults, and yield opportunities to create a comprehensive ecosystem for maximizing returns. In five years, HyperDrive aims to be the central hub for stablecoin yields, driving value and utility in the crypto world.

Unfortunately, the market router was incorrectly set as an operator during deployment, creating the conditions for an exploitable vulnerability.

Hyperdrive was compromised because users granted the Router unrestricted operator permissions during borrowing/lending flows, and the Router itself was allowed to make arbitrary calls to any to address on a whitelist — and crucially the Market contract was on that whitelist. In practice this meant that anyone who could trigger the Router could instruct it to call the Market contract on behalf of a user. An attacker used that pathway: a user transaction sets the Router as operator (see tx 0x5456d8...a12cb), the Router’s design allows arbitrary whitelisted to calls and the Market (ID 0x05d2...280c, address 0xa52257...d09) is whitelisted, and a third‑party then invoked the Router to issue calls into the Market that altered those users’ positions (see tx 0xcaf5ea...66a6639). Router address: 0x8D9e168a8Fd102Ea52Ba3Cc43d4C613Bb6c89F32.

Technically the root causes were over‑broad operator approvals on user accounts plus a trust assumption in the Router/whitelist model: the whitelist permitted a privileged contract (the Market) to be called indirectly via a Router that could be set as an operator by any user. That combination allowed a third party to trigger state‑changing Market logic against users’ vaults without the users’ intent. Short mitigations include narrowing operator permissions, removing or restricting the Router’s ability to proxy arbitrary whitelisted calls, moving whitelist checks to require the original caller to be an authorized actor (not just the to target), and adding explicit user consent or timelocks for operator-initiated critical actions.

Twitter/X user Diemkan explained further:

"The fundamental design flaw in Hyperdrive's contracts, where the router could call any whitelisted contract, is a serious security vulnerability. This opens the system up to potential privilege escalation attacks, which is a much deeper issue than just a simple bug.

Adding an LLM agent on top of this flawed architecture would not fix the underlying problem. If the agent has access to the router, it could potentially exploit this privilege flaw to perform unauthorized actions."

The amount lost has varied between $782k and $783k through various sources.

The issue first surfaced on June 27, 2025, around 10:00 PM Singapore time, when suspicious activity was detected in the Primary and Treasury USDT0 markets. In response, the team paused all markets and withdrawals while conducting a thorough investigation with the help of auditors and security specialists. Hyperdrive publicly acknowledged exploit within 12 hours and identified that is was affecting two markets: the Primary USDT0 Market and the Treasury USDT Market. The team began working on a patch to address the vulnerability and exploring various options to mitigate the impact on affected users. Hyperdrive emphasized their commitment to transparency and promised a detailed post-mortem report once the investigation is complete. Hyperdrive reiterated that their long-term vision of building the best protocol on Hyperliquid remains unchanged.

All markets are now fully operational with funds restored to all affected accounts. Users were remediated and a patch was able to be developed, reviewed, and implemented within 48 hours. Markets resumed normally.

The attack was traced to a sophisticated threat actor associated with high-profile attacks on other protocols.

Affected users have reportedly been made whole by the HyperDrive team.

Hyperdrive has committed to releasing a full postmortem in the future. According to the latest update from HyperDrive, "[t]he investigation is currently ongoing and we will reveal more information at the appropriate time."

Hyperdrive expressed gratitude to the security community, its Hyperliquid partners, and especially its users for their support during this challenging period. Users who are still experiencing issues or believe their accounts have not been fully remediated are encouraged to open a support ticket via Hyperdrive's Discord server. The team remains committed to transparency and is focused on reinforcing the protocol's security moving forward.

HyperDrive, a core stablecoin money market within the Hyperliquid ecosystem, was compromised due to a vulnerability in its contract design. The issue arose from users granting the Router unrestricted operator permissions, allowing attackers to execute arbitrary calls on the whitelisted Market contract, which resulted in the manipulation of users' positions. The exploit was traced to a sophisticated threat actor linked to other high-profile attacks. Following the incident, HyperDrive paused all markets and withdrawals, conducted a thorough investigation, and quickly implemented a patch within 48 hours. Funds have been restored to affected accounts, and markets are now fully operational. HyperDrive is committed to transparency and will release a post-mortem report, while also working to reinforce the protocol's security. Affected users were compensated, and the team thanked the community for their support during this time.

Hyperdrive Finance - "We are aware of the recent issues affecting the Hyperdrive protocol. At this time, we are able to confirm that the issues affect only two markets: the Primary USDT0 Market and the Treasury USDT Market." - Twitter/X (Sep 29)
Hyperdrive Finance - "We have identified the root cause and corrected the issue. We have also identified the affected accounts and are enacting a compensatory plan shortly. We expect normal market functioning to resume within 24 hours, if not significantly sooner." - Twitter/X (Sep 29)
Hyperdrive Finance - "All markets are fully operational and funds have been restored to all impacted accounts." - Twitter/X (Sep 29)
CryptoNyaRu - "During the lending process, the user sets the Router as Operator, but the Router can execute any Call to addresses in the whitelist, and coincidentally the Market is in the whitelist" - Twitter/X (Sep 29)
Hyperdrive Router Set As Operator - HyperEVMScan (Sep 29)
Hyperdrive Attack Transaction - HyperEVMScan (Sep 29)
Diemkan - "In summary, this is a concerning security design issue that needs to be addressed at the core contract level, rather than just adding a new interface on top of it." - Twitter/X (Sep 29)
Vicki.hl - "A Hyperliquid-based lending protocol, @hyperdrivedefi lost about $782,000 worth of tokens following a smart contract exploit Saturday night, in the third notable security incident affecting the popular Layer 1 network." - Twitter/X (Sep 29)
@i_naiveai Twitter (Sep 29)
@PrincipeCripto Twitter (Sep 29)
@KandleFi Twitter (Sep 29)
@CryptoSangeet Twitter (Sep 29)
@autumn_good_35 Twitter (Sep 29)
@CheekyCrypto Twitter (Sep 29)
@SocatisAI Twitter (Sep 29)
@Cande21990211 Twitter (Sep 29)
@0xTheWeb3Labs Twitter (Sep 29)
@Unchained_pod Twitter (Sep 29)
@cartelxbt Twitter (Sep 29)
@TrustblockHQ Twitter (Sep 29)
@K10NDIKE Twitter (Sep 29)
Hyperdrive Finance Twitter/X Account (Sep 29)
Hyperdrive Homepage (Sep 29)
Hyperdrive - THE Stablecoin Money Market - Mirror.xyz (Sep 29)

More case studies

HyperVault Founder Nick Olsson
Internal Ledger Rug Pull

dTRINITY dLEND Vulnerable
OdosLiquidity Swap Adapter Attack