Hypr Network - REKT

What is this, a bridge hack for ants?

Yesterday, gaming-focused L2 Hypr Network lost 2.57M HYPR (approx $220k) to a bridge exploit just two days after launch.

The incident was quickly identified by a user, and the team warned users that something was amiss, but without initially admitting to an exploit:

📢 ATTENTION: Do not use the Hypr Network Bridge. The team wants to perform some more tests and do some further audits on the bridge.

The team’s follow-up statement reassured users that HYPR holders in general were not affected, with losses coming from just two addresses (the only users to have bridged funds up to that point).

However, the token did experience a drop of almost 40% when the proceeds were dumped for 97 ETH, worth approx $220k at the time of writing, the price has since recovered with the market rebound.

While we’ve seen plenty of bridges lose funds to compromised keys over recent months, this is the first example of exploited code leading to a bridge hack since last autumn’s BNB bombshell (unless you count the Shibarium bridge’s temporary self-rekt in August).

Forking code can be risky, especially when devs aren't up to date with issues in the original source.

Should developers of a codebase designed to be forked take more responsibility for communications?

Or were Hypr simply not paying enough attention?

Credit: BlockSec, Hypr Network

The Hypr Network is built via OP Stack which allows developers to deploy fully functional L2s, forking Optimism as a template.

In the Hypr team’s post-mortem thread, they explain that:

Hypr used the most recent version of the develop branch of the OP monorepo at the time of deployment. Unbeknownst to us, this was not a production-ready branch and at the time contained a critical vulnerability which had yet to be patched.

The full post-mortem report can be found here.

BlockSec summarised the vulnerability as follows:

The root cause was that the attacker managed to circumvent the 'finalizeERC20Withdrawal' function check by reinitializing the contract, due to the existence of the 'clearLegacySlot' modifier.

Exploiter address 1: 0x5b8d598b354f5760b2a65f492154e7a3df46d1be

Exploiter address 2: 0x3ea6ba6d3415e4dfd380516c799aafa94e420519

Attack tx: 0x51ce3d9c…

The exploiter was funded from hacker-favourite FixedFloat and, at the time of writing, the stolen ETH remains in the 0x5b8d address.

Composability, interoperability and building upon open-source code are elements which allow for many of DeFi’s greatest innovations.

But they also mean that a bug in one place can affect multiple protocols across the sector.

Communication between teams and staying up-to-date with security conversations across the ecosystem is key for anyone relying on forked code. As BlockSec points out:

Note that the vulnerability was patched by the OP team after the contract had been deployed.

This incident underscores the importance of the community working collaboratively to refine the process for releasing security patches, which will undoubtedly benefit us all.

Hypr’s post-mortem report states that, following consultation, with the OP Labs team:

[OP Labs] agreed that improvements on their release and communications process

And, after reassuring users that other OP infrastructure was unaffected, the Optimism Foundation added:

We encourage developers building projects in production to use releases approved by Optimism governance, which meet the security bar established by the Collective. We're also improving our release comms processes to help ensure it's clearer to projects leveraging the OP Stack.

As ever, being the first to bridge to a new ecosystem can often lead to lucrative first mover advantages.

After a prolonged period of apathy, FOMO is driving a growing desire to try new things as markets begin to heat back up once again.

Are the potential rewards worth the risk?

REKT는 익명 작성자들에 의한 공공 플랫폼이며, REKT에 작성된 관점이나 내용에 대해서 그 어떤 책임도 지지 않습니다.

기부 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT는 당사 웹 사이트의 익명의 작성자 또는 REKT에 의해 게시되거나 관련된 서비스에서 게시되는 콘텐츠에 대해 어떠한 책임도 지지 않습니다. 당사는 익명 작성자들의 행동 및 게시물에 대한 규칙을 제공하지만, 익명의 작성자가 웹 사이트 또는 서비스에 게시, 전송 혹은 공유한 내용을 통제하거나 책임지지 않으며, 귀하가 웹 사이트 또는 서비스에서 직면할 수 있는 불쾌함, 부적절함, 음란함, 불법 또는 기타 해로운 콘텐츠에 대해서도 책임을 지지 않습니다. REKT는 당사 웹 사이트 또는 서비스 사용자의 온라인 또는 오프라인 행위에 대한 책임을 지지 않습니다.