Author: Azuma, Odaily Planet Daily
The popular project Hyperliquid (HYPE) today experienced its largest correction since its launch.
Bitget's market shows that as of around 14:00 Beijing time, HYPE is reported at 26.21 USDT, with a daily drop of up to 20.5%.
Are North Korean hackers targeting Hyperliquid?
Looking around the market news, the most discussed event in the Hyperliquid community today is a warning from well-known security researcher Tay (@tayvano_)—multiple recently marked North Korean hacker addresses have been trading on Hyperliquid, with total losses exceeding $700,000.
As of the time of writing, Hyperliquid has not shown any signs of being attacked, but as Tay said, "If I were one of the four validators managing Hyperliquid, I might have already wet my pants"... Signs of activity from the strongest hacking forces in the cryptocurrency world may mean that North Korean hackers have identified Hyperliquid as a potential target and are testing the system's stability by executing trades.
After Tay's post was published, it immediately sparked heated discussions within the community, especially the issues related to the "four validators" mentioned by Tay, which triggered intense discussions. Some community members even see it as the most vulnerable link in Hyperliquid's system security at present.
Potential Threat: $2.3 billion relies solely on 3/4 multisig.
Abstract developer cygaar explained that there are currently $2.3 billion worth of USDC coexisting in the Hyperliquid bridging contract deployed on Arbitrum, and most functions in this bridging contract require signatures from 2/3 of the validators to execute (since there are only four validators, three signatures are actually needed).
Assuming that most (3/4) of the validators are compromised, the compromised validators can submit a request to withdraw all USDC from the bridging contract and send it to a malicious address. Since the attackers control the vast majority of validators, they would be able to pass the request smoothly and ultimately approve the withdrawal request, meaning that $2.3 billion worth of USDC would be transferred to the attackers.
Currently, there are two defenses that can intervene to prevent these USDC from being lost forever.
The first line of defense is established at the contract level of USDC. Circle's blacklist mechanism can completely prevent specific addresses from transferring USDC. If they act quickly enough, they can stop the attacker from transferring the stolen USDC, effectively freezing the funds and repaying the Hyperliquid bridging contract.
Regarding this line of defense, security expert ZachXBT commented that Circle is very inefficient, and one should not expect them to make any remedies, but ZachXBT clarified that this comment is only directed at Circle and does not involve any views on Hyperliquid.
The second line of defense is established at the Arbitrum network level. Currently, the Arbitrum L1/L2 bridging contract on Ethereum is protected by a 9/12 multisig contract (security committee). If the attacker somehow gains control of the $2.3 billion USDC and immediately exchanges it for other tokens, thereby evading Circle's blacklist mechanism. Theoretically, Arbitrum's security committee can also change the state of the chain to roll back and prevent the initial attack transaction from occurring. In an "emergency," the committee can vote to decide whether to intervene.
Cygaar added that the last line of defense is obviously controversial and should only be used in the most critical situations.
"Intentional FUD" or "Good Faith Warning"? The community's reactions vary.
The community's reaction to Tay's warning post has shown a stark polarization.
On one hand, some community members believe that Tay's warning is exaggerated, especially after the drop in HYPE, many community users think Tay is just "deliberately FUDding."
· Some community members pointed out that North Korean hackers target every protocol with high TVL, not just Hyperliquid. Merely discovering traces of hacker activity does not mean the protocol is under threat.
· Some community members also pointed out that Tay actually works for Consensys, raising suspicions that his so-called "warning" has vested interests, and is merely to allow Consensys to reach the most favorable cooperation with the Hyperliquid team.
On the other hand, some well-known figures have chosen to support Tay's security work.
· Well-known white hat hacker samczsun stated that although Tay has served the cryptocurrency industry for free for several years, he has faced severe criticism for this post, solely because HYPE's price dropped significantly after the warning was published... It's really sad to see such news.
· Wintermute founder and CEO Evgeny Gaevoy also stated that Tay's communication style may be somewhat aggressive (after the tweet was published, Tay had a fierce confrontation with some users who accused him), but you cannot ignore information like this.
In summary, for Hyperliquid, which has been smooth sailing since its launch, today's discussion can be seen as a minor incident in the project's operation. It is not significant because Hyperliquid has not actually suffered an attack; it is not trivial because some vulnerabilities in the Hyperliquid system level have been exposed, and community consensus has shown some degree of divergence on this event... However, as a leader aiming to change industry rules, this incident can be seen as a good touchstone. How Hyperliquid addresses the 3/4 multisig issue and calms UFD will also be a good opportunity for the market to reassess the quality and efficiency of the project.