Hyperliquid-based Hyperdrive loses $782,000 after smart contract exploit

A Hyperliquid-based lending protocol, Hyperdrive, lost about $782,000 worth of tokens following a smart contract exploit Saturday night, in the third notable security incident affecting the popular Layer 1 network. 

The attacker drained two Hyperdrive pools, the protocol's Primary USDT0 Market and Treasury USDT Market, and managed to extract about 673,000 USDT0 stablecoins and 110,244 thBILL, worth around $782,000 combined. The attacker converted the stolen funds into cross-chain assets (BNB and ETH) and sent them off-chain. 

While Hyperdrive has not released a postmortem detailing the attack, blockchain security firm Certik said the attacker "repeatedly exploited an arbitrary call in the router" to drain the funds, meaning an insecure smart contract was likely at fault for the breach. 

Hyperdrive's team paused the protocol immediately after the attack to prevent further damage; the team said on X it expects normal operations to resume soon, and plans to share a postmortem report following an investigation into the attack. 

"We have identified the root cause and corrected the issue," Hyperdrive said in an update on Sunday. "We have also identified the affected accounts and are enacting a compensatory plan shortly."

The Hyperdrive team did not elaborate on the details of the compensatory plan, and The Block could not immediately reach Hyperdrive for context. Hyperdrive has about $21 million worth of value locked on its platform, according to DefiLlama data . 

The exploit is the third significant security incident to hit Hyperliquid's ecosystem since the network's launch in late November, 2024. In March, a whale manipulated the onchain price of Solana-based memecoin JELLYJELLY, forcing the protocol to absorb $12 million in losses. An earlier whale manipulation event left a Hyperliquid vault with a $4 million loss.