Incident Postmortem: Bridge Exploit

The Facts of the Incident

• Hypr’s OP Stack Bridge experienced an exploit. This does not affect $hypr holders. 
• 2 Users were affected, with a total of 2.57M Hypr drained and sold in the open market, creating a massive decline in price.

Sequence of Events

• 7:48 PM PST: We received an alert that something unusual was happening on the Hypr Bridge. This event was followed by massive selling and price dropping.
  
  
• 8:09 PM PST: We tweeted an announcement, informing users not to use the bridge. At the same time, we shut off access to the bridge so no users could use it.
  
  
• 8:31 PM PST: All-hands on deck to confirm what was happening. We determined that our bridge was exploited and the 2.57M Hypr that was bridged by 2 users was being drained and then sold in the open market, causing price to massively drop.
  
  
• 9:12 PM PST: We opened up a war room chat with samczsun, other security researchers, the Optimism team, and our developers. We quickly identified the root cause.

Root Cause

Hypr used the most recent version of the develop branch of the OP monorepo at the time of deployment. Unbeknownst to us, this was not a production-ready branch and at the time contained a critical vulnerability which had yet to be patched. 

The Oct 4 update commit says:

“Updates the `reinitialize` value to 3 from 2. Now there is a constant used in all locations so that everything can be updated at once. This solution is not scalable long term because this means that the `reinitialize` value needs to be updated any time a new contract is deployed.”

The root cause of the vulnerability is that the contract can be reinitialized due to the clearLegacySlot modifier:

‍

‍

We met with the OP Labs team, who was very collaborative and helpful; they agreed that improvements on their release and communications process are needed, to make it clearer for teams going forward. They are clearly a top-shelf team and we thank them for working with us on this.

What Are We Doing

• We have upgraded to the most updated version of the bridge code.
  
  
• We met with the Optimism team and discussed how they could have more effectively communicated the critical vulnerabilities and the patch.
  
  
• We also offered to do 1:1 outreach to potentially other affected Layer 2 projects that have forked the OP Stack so they don’t experience this exploit.

Thank You,

-- Hypr Team

We want to personally express our gratitude to samczsun, Slowmist, BlockSec, and the Optimism Foundation team for their help and collaboration. Working with these professionals reinforced our commitment to giving back. They gave of their time and expertise and we are grateful to each of them.