Hypervault Suffers Suspected $3.6 Million Rugpull, Funds Moved to Tornado Cash

Executive Summary

DeFi protocol Hypervault experienced a suspected $3.6 million rugpull on September 26, 2025, as blockchain security firm PeckShield reported unusual outflows of 752 ETH, subsequently moved to Tornado Cash, prompting trust concerns in the Hyperliquid ecosystem.

The Event in Detail

On September 26, 2025, blockchain security firm PeckShield identified and flagged approximately $3.6 million in unusual outflows from the decentralized finance (DeFi) platform Hypervault. The suspicious activity commenced with a substantial withdrawal from Hypervault, a yield optimization protocol operating on Hyperliquid. The assets were subsequently bridged out of the Hyperliquid network to the Ethereum blockchain. Upon reaching Ethereum, the withdrawn funds were converted into ETH, with a total of 752 ETH (approximately $3 million) deposited into Tornado Cash, a cryptocurrency mixer frequently utilized to obscure transaction trails. Following these transactions, Hypervault's official X (formerly Twitter) account was deleted, and its Discord server was deactivated. Concurrently, the protocol's official website became inaccessible, leading to widespread suspicions of an exit scam, commonly referred to as a "rugpull."

Financial Mechanics

Hypervault operated as a non-custodial, auto-compounding yield aggregator on HyperEVM. The protocol maintained internal account balances and a global accrual index designed to credit realized profit to depositors. It employed modular strategy adapters to deploy capital to external venues such as lending platforms, looping protocols, and concentrated liquidity automated market makers (CL-AMMs). An in-house keeper bot was responsible for harvesting rewards, converting them to the vault's underlying token, applying performance fees, and redeploying the capital. The alleged rugpull involved the systematic movement of assets: initial withdrawal from Hypervault on Hyperliquid, bridging to the Ethereum network, conversion into ETH, and the subsequent transfer of 752 ETH into Tornado Cash. This multi-step process is consistent with methods used to obfuscate the flow of illicitly acquired funds.

Market Implications

This incident is expected to foster a bearish sentiment within the DeFi sector, particularly impacting investor confidence in new or less-audited projects offering high yields. The event places the Hyperliquid ecosystem under scrutiny, despite the underlying Hyperliquid blockchain itself remaining unaffected. Critics assert that unaudited third-party projects within the Hyperliquid ecosystem risk damaging trust. The incident highlights the inherent vulnerabilities associated with permissionless DeFi protocols and may trigger increased caution among investors when evaluating yield-generating opportunities. The use of a mixer like Tornado Cash further complicates any potential recovery efforts and underscores the challenges in tracing funds post-exploit.

Broader Context

The Hypervault rugpull adds to a growing list of security incidents and exit scams within the broader Web3 ecosystem. While the Hyperliquid blockchain remains technically sound, the association with a project that allegedly defrauded users for a significant sum can tarnish the ecosystem's reputation and impede its growth. This event reinforces calls for more robust security audits, enhanced transparency in project operations, and potentially stronger community-driven vetting processes for new DeFi protocols. The incident also serves as a reminder of the risks associated with decentralized finance, particularly for projects that lack a proven track record or extensive independent security assessments. It may accelerate discussions regarding the need for better due diligence by users and platforms alike, impacting overall investor sentiment and potentially influencing the trajectory of corporate adoption trends in the DeFi space.