Hypr Loses Over $420,000 in OP Stack Bridge Exploit

The development branch of the OP mono repo utilized by Hypr was not production-ready and contained a vulnerability that needed addressing.

A thief wearing a mask of a smiley emoji
The HYPR token experienced a price drop following the theft and subsequent sale of tokens.

The team behind Hypr Network, a ZK Gaming scaling solution, has shared the postmortem of the OP Stack (Optimism) Bridge hack that occurred on December 12.

In its comprehensive report, Hypr Network reveals that the first alerts about unusual activity impacting the OP Stack Bridge were received from cybersecurity researchers at 7:48 PM PST. These alerts were quickly followed by massive selling of the HYPR token and a subsequent decline in its price.

Read also: Wallet Registration on Replit Potentially Causes Mnemonic Phrase Exposure

Hypr swiftly issued a public announcement, advising users to refrain from using the Hypr Bridge. Simultaneously, access to the bridge was cut off to prevent further user engagement.

According to Hypr's report, the investigation revealed that the bridge had been exploited, resulting in the drainage and subsequent sale of 2.57 million HYPR tokens bridged by two users in the open market. This malicious activity led to a substantial drop in the token's price. At the time of the incident, the HYPR token was traded at nearly $0.1655, resulting in losses amounting to nearly $425,335. Later, the token's price plummeted to $0.1332, bringing the current value of the lost funds to nearly $342,000.

Read also: Critical X Bug Enables Account Takeover with a Single Click

With the assistance of security researcher Samczsun and experts from BlockSec, SlowMist, and other teams, Hypr successfully identified the root cause of the incident.

According to Hypr's report, the most recent version of the development branch of the OP mono repo was not production-ready and contained a critical vulnerability that had not been patched at the time of deployment.

Optimism's commit text
Source: Optimism, GitHub

The report from Hypr includes a citation from the commit text, which explicitly states that the new solution "is not scalable in the long term," and the affected "reinitialize" value "needs to be updated any time a new contract is deployed."

The BlockSec team further reports that the vulnerability has already been addressed and fixed by Optimism's developers.