Summary

On June 18th 2025 at 2:48 PM CEST, the Intergalactic team received a report via the Hydration Immunefi bug bounty programme, disclosing a critical vulnerability in the transfer function of aTokens, which could have potentially enabled holders of aTokens (i.e. tokens deposited on the Hydration Money Market) to mint more stablepool shares than they would have been entitled to.

Within 2 hours after the submission, the Intergalactic team managed to evaluate the report, having acknowledged the severity of the vulnerability, the Technical committee performed liquidity addition pause for GDOT pool, which was the only affected pool in question. Securing the funds at risk.

Immediately after this, an emergency runtime upgrade was proposed on Hydration OpenGov. Due to the sensitive nature of the issue, the upgrade was proposed in “stealth”, i.e. the code changes were not published on GitHub until its enactment at the same time as the liquidity add pause was proposed. (you can see them now here). Approximately 7 hours after the report, the fixed Hydration runtime was applied on the mainnet, and the transaction pause was removed by the Technical committee.

Given the severity of this vulnerability, the IGL team has prepared a list of measures which will help improve the security posture of the development process, with the goal of minimizing the probability that similar vulnerabilities get introduced in the future.

According to our estimates, the impact of the vulnerability - which remained unexploited - could have led to up to a $22M loss for the Protocol and LPs in Stablepools with aTokens. In accordance with the rules of the Hydration Immunefi bug bounty programme, this is a Critical issue and the whitehat is entitled to the maximum payout of $500,000 in HDX.

To avoid sudden price pressure on HDX, it was negotiated with the whitehat, that the payout is done in 2 parts: $250,000 in HDX vested for 20 months, and $250,000 in a stablecoins. This is still subject to ratification by Hydration OpenGov.

Full post mortem can be found here -> https://jakpan.hashnode.dev/exploiting-atoken-liquidity-addition-in-stableswap-post-mortem

This proposal, if approved, will:

• transfer 250,000 USDC to the WhiteHat account 12ZuLmUiqhmhEaBEy9DBrYHVtrEdFwCiuhn31bLgmsNFj61u
• transfer $250,000 equivalent in HDX based on the 7D EMA of $0.011 per HDX -> 22,727,040 HDX to the same account
  • these HDX vest over a period of 20 months (608 days)