HyperDrive Router Set As Operator State Changes Triggered

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:05, 10 October 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/hyperdriveroutersetasoperatorstatechangestriggered.php}} {{Unattributed Sources}} thumb|HyperDrive Logo/HomepageHyperDrive, a core stablecoin money market within the Hyperliquid ecosystem, was compromised due to a vulnerability in its contract design. The issue arose from users granting the Router unrestricted operator permissions, allowing attackers to execute a...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

HyperDrive Logo/Homepage

HyperDrive, a core stablecoin money market within the Hyperliquid ecosystem, was compromised due to a vulnerability in its contract design. The issue arose from users granting the Router unrestricted operator permissions, allowing attackers to execute arbitrary calls on the whitelisted Market contract, which resulted in the manipulation of users' positions. The exploit was traced to a sophisticated threat actor linked to other high-profile attacks. Following the incident, HyperDrive paused all markets and withdrawals, conducted a thorough investigation, and quickly implemented a patch within 48 hours. Funds have been restored to affected accounts, and markets are now fully operational. HyperDrive is committed to transparency and will release a post-mortem report, while also working to reinforce the protocol's security. Affected users were compensated, and the team thanked the community for their support during this time.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24]

About HyperDrive

HyperDrive is Hyperliquid's premier stablecoin money market, designed as the core infrastructure for making everything on the HyperCore ecosystem more liquid. The platform aims to be the cornerstone of the fast-growing stablecoin market, which is expected to become one of the largest sectors in crypto. With a focus on sustainable yields, HyperDrive allows users to supply stablecoins for lending, stake $HYPE for rewards, and use Hyperliquid's proprietary strategies, such as the Hyperliquidity Provider (HLP) vault, to generate returns. These strategies ensure that yields are driven by sound, sustainable mechanics, addressing the common issue of declining DeFi yields that plagued the market in 2022.

The stablecoin market has seen explosive growth, with assets like USDC, USDT0, and USDe now exceeding $243 billion in total supply. HyperDrive was built to capitalize on this trend, leveraging the rise of stablecoins in decentralized finance (DeFi) for various uses, from remittances to protecting against hyperinflation. However, the market's early success was marred by unsustainable yields, prompting HyperDrive to focus on long-term, sustainable growth solutions. By using innovative vaults and collateral strategies, such as tokenizing HyperCore vaults and offering managed yield and looping strategies, HyperDrive seeks to transform stablecoin yields into a stable, reliable revenue stream for users.

Looking ahead, HyperDrive envisions becoming the default infrastructure for yield generation in the crypto space. Every crypto wallet is expected to hold stablecoins, which will continuously earn, borrow, and compound through the platform. As Hyperliquid continues to grow, HyperDrive will integrate more stablecoins, tokenization protocols, vaults, and yield opportunities to create a comprehensive ecosystem for maximizing returns. In five years, HyperDrive aims to be the central hub for stablecoin yields, driving value and utility in the crypto world.

The Reality

Unfortunately, the market router was incorrectly set as an operator during deployment, creating the conditions for an exploitable vulnerability.

What Happened

HyperDrive was compromised due to a vulnerability in its contract design allowing unauthorized calls.

Key Event Timeline - HyperDrive Router Set As Operator State Changes Triggered
Date Event Description
August 1st, 2025 10:33:52 PM MDT Hyperdrive Router Set As Operator A transaction which sets up the permissions vulnerability in the protocol. "During the lending process, the user sets the Router as Operator, but the Router can execute any Call to addresses in the whitelist, and coincidentally the Market is in the whitelist."
September 27th, 2025 6:54:52 AM MDT Hyperdrive Attack Transaction The attack transaction which is related to this exploit.
September 27th, 2025 7:55:00 AM MDT Analysis By CryptoNyaRu Posted Twitter/X user CryptoNyaRu publishes an initial analysis of the exploit transaction in Chinese, including links to the related transactions viewable in the block explorer.
September 27th, 2025 8:00:00 AM MDT Team Reportedly Aware Of Activity The approximate time that the Hyperdrive team became aware of the suspicious activity (assuming that their post is meant to say September and not June).
September 27th, 2025 6:27:00 PM MDT Initial Hyperdrive Announcement The Hyperdrive Finance team posts on Twitter/X to announce that they are aware of the exploit, only two markets ("Primary USDT0 Market and the Treasury USDT Market") are affected/vulnerable, and further updates will be available in the future.
September 28th, 2025 12:38:00 AM MDT Intermediate Update Posted The HyperDrive team posts an intermediate update on Twitter/X. They "have identified the root cause and corrected the issue. We have also identified the affected accounts and are enacting a compensatory plan shortly. We expect normal market functioning to resume within 24 hours, if not significantly sooner."
September 28th, 2025 6:29:00 PM MDT Hyperdrive Restoration Update Hyperdrive posts an update announcing that all markets have now reopened. "All markets are fully operational and funds have been restored to all impacted accounts."

Technical Details

Hyperdrive was compromised because users granted the Router unrestricted operator permissions during borrowing/lending flows, and the Router itself was allowed to make arbitrary calls to any to address on a whitelist — and crucially the Market contract was on that whitelist. In practice this meant that anyone who could trigger the Router could instruct it to call the Market contract on behalf of a user. An attacker used that pathway: a user transaction sets the Router as operator (see tx 0x5456d8...a12cb), the Router’s design allows arbitrary whitelisted to calls and the Market (ID 0x05d2...280c, address 0xa52257...d09) is whitelisted, and a third‑party then invoked the Router to issue calls into the Market that altered those users’ positions (see tx 0xcaf5ea...66a6639). Router address: 0x8D9e168a8Fd102Ea52Ba3Cc43d4C613Bb6c89F32.

Technically the root causes were over‑broad operator approvals on user accounts plus a trust assumption in the Router/whitelist model: the whitelist permitted a privileged contract (the Market) to be called indirectly via a Router that could be set as an operator by any user. That combination allowed a third party to trigger state‑changing Market logic against users’ vaults without the users’ intent. Short mitigations include narrowing operator permissions, removing or restricting the Router’s ability to proxy arbitrary whitelisted calls, moving whitelist checks to require the original caller to be an authorized actor (not just the to target), and adding explicit user consent or timelocks for operator-initiated critical actions.

Twitter/X user Diemkan explained further:

"The fundamental design flaw in Hyperdrive's contracts, where the router could call any whitelisted contract, is a serious security vulnerability. This opens the system up to potential privilege escalation attacks, which is a much deeper issue than just a simple bug.

Adding an LLM agent on top of this flawed architecture would not fix the underlying problem. If the agent has access to the router, it could potentially exploit this privilege flaw to perform unauthorized actions."

Total Amount Lost

The amount lost has varied between $782k and $783k through various sources.

The total amount lost has been estimated at $782,000 USD.

Immediate Reactions

The issue first surfaced on June 27, 2025, around 10:00 PM Singapore time, when suspicious activity was detected in the Primary and Treasury USDT0 markets. In response, the team paused all markets and withdrawals while conducting a thorough investigation with the help of auditors and security specialists. Hyperdrive publicly acknowledged exploit within 12 hours and identified that is was affecting two markets: the Primary USDT0 Market and the Treasury USDT Market. The team began working on a patch to address the vulnerability and exploring various options to mitigate the impact on affected users. Hyperdrive emphasized their commitment to transparency and promised a detailed post-mortem report once the investigation is complete. Hyperdrive reiterated that their long-term vision of building the best protocol on Hyperliquid remains unchanged.

Ultimate Outcome

All markets are now fully operational with funds restored to all affected accounts. Users were remediated and a patch was able to be developed, reviewed, and implemented within 48 hours. Markets resumed normally.

The attack was traced to a sophisticated threat actor associated with high-profile attacks on other protocols.

Total Amount Recovered

Affected users have reportedly been made whole by the HyperDrive team.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Hyperdrive has committed to releasing a full postmortem in the future. According to the latest update from HyperDrive, "[t]he investigation is currently ongoing and we will reveal more information at the appropriate time."

Hyperdrive expressed gratitude to the security community, its Hyperliquid partners, and especially its users for their support during this challenging period. Users who are still experiencing issues or believe their accounts have not been fully remediated are encouraged to open a support ticket via Hyperdrive's Discord server. The team remains committed to transparency and is focused on reinforcing the protocol's security moving forward.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Hyperdrive Finance - "We are aware of the recent issues affecting the Hyperdrive protocol. At this time, we are able to confirm that the issues affect only two markets: the Primary USDT0 Market and the Treasury USDT Market." - Twitter/X (Accessed Sep 29, 2025)
  2. Hyperdrive Finance - "We have identified the root cause and corrected the issue. We have also identified the affected accounts and are enacting a compensatory plan shortly. We expect normal market functioning to resume within 24 hours, if not significantly sooner." - Twitter/X (Accessed Sep 29, 2025)
  3. Hyperdrive Finance - "All markets are fully operational and funds have been restored to all impacted accounts." - Twitter/X (Accessed Sep 29, 2025)
  4. CryptoNyaRu - "During the lending process, the user sets the Router as Operator, but the Router can execute any Call to addresses in the whitelist, and coincidentally the Market is in the whitelist" - Twitter/X (Accessed Sep 29, 2025)
  5. Hyperdrive Router Set As Operator - HyperEVMScan (Accessed Sep 29, 2025)
  6. Hyperdrive Attack Transaction - HyperEVMScan (Accessed Sep 29, 2025)
  7. Diemkan - "In summary, this is a concerning security design issue that needs to be addressed at the core contract level, rather than just adding a new interface on top of it." - Twitter/X (Accessed Sep 29, 2025)
  8. Vicki.hl - "A Hyperliquid-based lending protocol, @hyperdrivedefi lost about $782,000 worth of tokens following a smart contract exploit Saturday night, in the third notable security incident affecting the popular Layer 1 network." - Twitter/X (Accessed Sep 29, 2025)
  9. @i_naiveai Twitter (Accessed Sep 29, 2025)
  10. @PrincipeCripto Twitter (Accessed Sep 29, 2025)
  11. @KandleFi Twitter (Accessed Sep 29, 2025)
  12. @CryptoSangeet Twitter (Accessed Sep 29, 2025)
  13. @autumn_good_35 Twitter (Accessed Sep 29, 2025)
  14. @CheekyCrypto Twitter (Accessed Sep 29, 2025)
  15. @SocatisAI Twitter (Accessed Sep 29, 2025)
  16. @Cande21990211 Twitter (Accessed Sep 29, 2025)
  17. @0xTheWeb3Labs Twitter (Accessed Sep 29, 2025)
  18. @Unchained_pod Twitter (Accessed Sep 29, 2025)
  19. @cartelxbt Twitter (Accessed Sep 29, 2025)
  20. @TrustblockHQ Twitter (Accessed Sep 29, 2025)
  21. @K10NDIKE Twitter (Accessed Sep 29, 2025)
  22. Hyperdrive Finance Twitter/X Account (Accessed Sep 29, 2025)
  23. Hyperdrive Homepage (Accessed Sep 29, 2025)
  24. Hyperdrive - THE Stablecoin Money Market - Mirror.xyz (Accessed Sep 29, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=HyperDrive_Router_Set_As_Operator_State_Changes_Triggered&oldid=6939"