A live public dashboard at https://recovery.hydrachain.org/ holds all data for this effort in real-time — categorized losses, mitigations applied, attack-origin traces, hacker sub-wallet tracking, the V2 migration plan, and live progress against the recovery targets. The dashboard is the single source of truth and updates as funds settle, sub-wallets are identified, and the migration completes.
This thread is a coordination + communication update across all parties involved in the recovery (Hydra DAO, LockTrip, ChangeX, ANI project team, LP holders, contributors). Most of what is described below has already happened or is operated by the relevant project teams independently. The only direct Hydra DAO action on the table today is the wHYDRA + HYDRA-Base V2 snapshot — which proceeds by default unless the community raises a veto in this thread before the snapshot moment.
Posted: 2026-05-12 Snapshot moment: today, at the cutoff blocks given in §1 Discussion window: until the snapshot moment Veto: open to any community member for any reason; binding on wHYDRA + HYDRA-Base only (other tokens are project-team-led)
1. Executive Summary
| Item | Status |
|---|---|
| Incident | On 2026-05-03 ~21:00 UTC, an unauthorized party used a legacy deployment key from the bridge’s initial launch — which had retained admin privileges on the Hydragon-side bridge contract — to grant themselves admin, add malicious observer nodes, and execute fraudulent inbound proposals that drained tokens from the Ethereum-side vaults. No smart-contract exploit, no validator compromise, no chain halt. Public timeline: hydrachainorg/status/2051339937144795473 |
| Total Attack At-risk | ~$962k of community-relevant value across five chains |
| Attacker’s Hydragon wallet — fully paralyzed | 0xd06e82e2… is rejected at admission by two independent layers: (1) a validator txpool filter shipped in node release #140 (binary patch on every Hydra-operated validator and the wider community validator set), and (2) a Python RPC sender-blacklist sidecar fronting every public Hydra RPC. eth_sendRawTransaction from the attacker is rejected with -32600 "transaction sender is blacklisted". Every patched validator also refuses to seal or propose blocks containing the attacker’s transactions. The active validator set on Hydragon is ~15 nodes (2 Hydra-operated + ~13 community-operated), all running the patch and coordinated via a closed Telegram channel. In practical terms the wallet is frozen on Hydragon — including the ~770,000 HYDRA native balance and all wrapped phantom-mints on it — via the honest-validator-majority of that active set. The defense is enforced at the mempool/admission layer rather than at consensus (which keeps partial-rollout safe, no chain-split risk during rollout). A consensus-layer hardening pass is under review for a follow-on release. |
| Already mitigated | ~$846k (~87.9%) via eleven layered defenses: Hydragon wallet paralysis (above), bridges paused on all five chains, exchange liquidity paused for CHANGE, governance migrated to a 2/4 Safe multisig, new defender role with a 15-min delay on every chain, observer threshold raised to 3/6, validator + RPC sender blacklist, GitHub credential rotation + 2FA enforced, KuCoin compliance freeze on a 50,000 HYDRA deposit, and project-absorbed LP residue (~$37k) on the team’s books |
| Donations (Cat 1 sUSDe deficit, $172k target) | $75k of soft-committed donations confirmed: Devs $25k + Nikola $25k + Florian $25k. Plus a $25k aspirational community pledge target |
| Vested ANI — mathematical floor protection | DAO Team worked hard to vest 46,000,000 ANI off-market (~$69k at floor) = 25M system-locked in BurnQ + BurnD + Raid (off-market by curve design) + 21M long-term-investor coordinated vesting via ANIVestingWallet.sol with 1- or 2-year cliffs. For the full vesting horizon (up to 2 years), this supply cannot be redeemed for liquidity — so curve redemption demand for the locked ANI is mathematically zero for the duration, producing a floor-price guarantee that doesn’t depend on price action or further community pledges |
| CHANGE, LOC, wHYDRA, ANI (Ethereum/base) | Liquidity locked and snapshot migration proposed in this draft for one large multi-team coordinated move that will eliminate the hacker onthese chains for ever. Zero effort from holders with no risk of loss. Automatically handled by DAO team and project founders. |
| 30-day projection | ~$1.02M mitigated / ~$962k at-risk (~106%) if confirmed soft-commits settle |
| DAO ratification ask (binding) | Authorize the V2 deploys of wHYDRA on Ethereum and HYDRA-Base on Base — the two tokens under direct Hydra DAO authority — at cutoff blocks Ethereum 25,082,089 and Base 45,918,142 (~22:40 UTC today). Each is pre-minted in full at deploy and finalized — no mint role retained after migration. The LOC, CHANGE, and ANI V2 migrations at the same cutoff blocks are operated independently by their respective project teams (LockTrip, ChangeX, ANI project team) and are shared here for transparency — they do not depend on this DAO proposal to proceed. See §9 for the full scope table |
| Holder action | None required. V2 lands automatically in your existing wallet after cutoff. Old V1 contracts will be deprecated |
| Default outcome | Proceeds by default; halts only if a veto reaches 20% of voting power before the snapshot moment |
| Dashboard | Every number, hacker sub-wallet, defense layer, and per-token mint list is live on https://recovery.hydrachain.org/ |
2. Incident recap
On May 3, 2026 at approximately 21:00 UTC, an unauthorized party gained access to a deployment key from the bridge’s initial launch that had retained administrative privileges on the Hydragon-side bridge contract. The attacker used this key to:
-
Grant themselves admin access on the Hydragon bridge,
-
Add malicious observer nodes, and
-
Create and execute fraudulent bridge proposals to drain tokens from the Ethereum-side vaults.
The unauthorized access occurred late Sunday evening UTC. All five bridges were paused within hours of discovery. There was no smart-contract exploit, no validator compromise, and no chain halt. Hydra L1 and validator consensus were never affected.
Full original disclosure thread: hydrachainorg on X · post 2051339937144795473
Attacker EOA (excluded everywhere): 0xd06e82e2acd26848f86d0F559F7037cd8896071b. Every first-inbound transfer of each V1 token to this address is reverse-traced and visible on the recovery dashboard — two on-chain vault drains (LOC, CHANGE on Ethereum) and three phantom mints via the forged proposals (wHYDRA on Ethereum, ANI on Base, HYDRA on Base).
3. Mitigations already in place — defense in depth
The following layers have shipped and are live. The composite effect is that the attacker’s remaining holdings on every chain have no live monetization path, and the legacy drain is mostly orphaned-by-default.
3.1 Wallet paralysis on Hydragon
The attacker EOA 0xd06e82e2acd26848f86d0F559F7037cd8896071b is rejected at admission by two independent layers:
-
Validator-level txpool filter. Shipped in node release #140 (binary patch, partial-rollout-safe — not a consensus rule). All Hydra-operated validators and the broader community validator set run this filter.
eth_sendRawTransactionfrom the blacklisted sender is rejected with-32600 "transaction sender is blacklisted". -
Parallel RPC sender blacklist. Independent Python sidecar in front of every public RPC endpoint. Auto-reloads the blacklist file on file mtime change every 5s — no service restart needed.
Every patched validator refuses to seal or propose blocks containing the attacker’s transactions, and every public RPC refuses to relay them. The active validator set on Hydragon is approximately 15 nodes — 2 Hydra-operated plus around 13 community-operated — all of which run the patch and coordinate via a closed Telegram channel. The wallet is, in practical terms, frozen on Hydragon. The patch is intentionally enforced at the mempool/admission layer rather than at consensus to keep partial rollout safe (no chain-split risk during rollout). To get a transaction included on Hydragon, an attacker would need to acquire enough stake to enter the active validator set (≥15,000 HYDRA minimum stake plus slot availability against the coordinated honest majority) and win proposer rotation slots against it. A consensus-layer hardening pass — adding a sender check at block-validation time — is under review for a follow-on release.
3.2 Bridge contracts paused — all 5 chains
HydraBridge paused since 2026-05-04 on Ethereum, BNB, Polygon, Base, and Hydragon. No deposits or withdrawals can be processed on any chain. Bridges remain paused through the V2 migration and will be unpaused as the first real action of the new 2/4 Safe multisig.
3.3 DEX / CEX liquidity paused — CHANGE
Liquidity pools and exchange deposits for CHANGE on Ethereum have been paused in coordination with ChangeX team and MEXC. The 322.87M CHANGE in the attacker wallet has no monetization route, on or off chain.
3.4 No present DEX liquidity — LOC, wHYDRA, ANI
LOC, wHYDRA on Ethereum, and ANI on Base have no significant DEX liquidity. There is no on-chain swap path for the attacker, regardless of bridge state. The attacker’s 16.01M LOC (86% of supply), 173k wHYDRA, and 8.04M ANI are stranded by structure, not by policy which has a mitigating effect.
3.5 Bridge governance migration to 2/4 Gnosis Safe multisig + Time Lock
Safes deployed on all 5 chains; DEFAULT_ADMIN_ROLE granted to each Safe additively alongside existing admins. Single-EOA cold admin is being retired after the multisig is exercised in real operations. Safe addresses and signers are listed at the bottom of this proposal.
The migration is going to be completed prior to re-activating the bridge.
3.6 Defender role with 15-minute cancellation window
New DEFENDER key 0x54E0B6f92Dd6E64dFCcC6d040826A4E6a9488AeF rotated in on all 5 chains. delayInBlocks raised to a ~15-minute window on every chain (was 0 blocks on Hydragon, 10 blocks on Ethereum). Defender process runs as a separate PM2 service on all three observer servers — three independent defender instances, each capable of canceling a fraudulent proposal during the delay.
3.7 Observer threshold raised — 3/6 on every chain
votesTreshold raised from 2 to 3 on every bridge. Base brought up from 3 observers to 6, matching the other chains. A single compromised observer key can no longer combine with one other to confirm a proposal — half the observer set is required.
3.8 Legacy role drift cleaned up
After a full live on-chain role audit across all 5 bridges, the leaked 0xfeFF3027… observer role was revoked from Hydragon. Two legacy defenders (0xdff3dA55… and 0x4f655a149d…) revoked across all chains. Hydragon FEE_ADMIN re-granted. All bridges now show zero hostile / drifted addresses.
3.9 GitHub PAT rotation + 2FA enforcement
Mandatory 2FA enabled on the Hydra-Chain GitHub org. Leaked key redacted in the hydra-observer README and pushed to master. The full-collaborator list is being audited and has been pruned.
3.10 KuCoin compliance freeze — 50,000 HYDRA
The attacker deposited 50,000 HYDRA (~$4,600) to their KuCoin deposit address 0x2DFC9489EEd4df04407a6323087f88EE3382FA97 during the attack. KuCoin compliance, in coordination with Hydra DAO, has frozen the account.
3.11 Team-absorbed LP slice — ~$37k
The hacker dumped a slice of the drain into team-LP’d pools (sUSDe project slice ~$24.5k above the $172k Cat 1 line, LOC/WETH V2+V3 pools ~$6.8k, ANI/WETH on Base ~$5.6k). These LP losses are borne by the project and founding teams (LockTrip, Hydra DAO, ANI founder), not by community.
4. The 4-category recovery framework
Every dollar at risk falls in one of four categories. The dashboard displays this framework live with real-time per-category mitigation totals.
4.1 Category 1 — Active community recovery (sUSDe deficit)
| Item | Amount | Status |
|---|---|---|
| Target — sUSDe backing for circulating community ANI | $172,000 | active |
| Vested floor (46M ANI off-market, ≈$0.0015 floor) | $69,000 | locked in raid-protected vesting (see §5) |
| Settled (funds received into the pledge vault) | $0 | pledge vault 0x5E46019590C5A923886acBa19cB1C8150FB8Ca82 |
| Confirmed soft-commits | $75,000 | Devs $25k + Nikola $25k + Florian $25k |
| Aspirational community target | $25,000 | open for community pledges |
| Minimum target line (vested + settled + confirmed) | $144,000 | = 84% of target |
| Projected with community target | $169,000 | = 98% of target |
Pledge vault is the project-treasury Safe on Ethereum. Soft-committed contributors are real human commitments — settlement will appear on-chain in the pledge vault as the sUSDe lands. A separate ~$25k of sUSDe held as project LP / treasury is part of Cat 4 and not Cat 1.
4.2 Category 2 — Paralyzed & mitigated hacker holdings
| Chain | Asset(s) | Approx USD | Mitigations |
|---|---|---|---|
| Hydragon | 748,851 HYDRA (native) + 6 phantom-minted wrapped tokens at 900B+ each | $18,721 + 0 phantom | paralyzed (validator + RPC blacklist) |
| Ethereum | 322.87M CHANGE | $457,955 | liquidity paused, bridge paused, remap planned |
| Ethereum | 16.01M LOC (86% of supply) | $161,461 | no DEX liquidity, bridge paused, excluded from V2 |
| Ethereum | 173k wHYDRA | $4,325 | no DEX liquidity, bridge paused, excluded from V2 |
| Base | 250k HYDRA | $6,250 | bridge paused, excluded from V2 |
| Base | 8.04M ANI | (illiquid) | bridge paused, no DEX liquidity, excluded from V2 |
| Polygon | dust | <$1 | dust |
| BNB | empty | $0 | empty |
The attacker still controls assets, but every monetization path is blocked by at least one layered defense. The wallet is operationally dead.
4.3 Category 3 — Legacy bridge-vault drain
Stablecoins, WBTC, and ETH drained from the Ethereum bridge vaults (ERC20DecimalsVault 0xb2721f46…, ERC20DefaultVault 0x7FEF9e5e…, Wrapped Ether vault 0x99571e95…). Total $104,202, split between long-dormant deposits with no active claimant on Hydragon and a smaller slice held by reachable Hydragon-side wrapped-asset holders.
3a — Likely orphaned (mitigated by default): $91,035
Ethereum-side residue with no matching active claimant on Hydragon — the corresponding wrapper supply belongs to wallets long-inactive (3+ years idle), indicating likely loss of access. A public claim window will be opened on the dashboard and these will be discussed by the DAO in the future when they arise. A separate DAO mini relief fund proposal is likely to happen next as the DAO operational costs have been cut tremendously and it is operating extremely lean. It can potentially allocate a montly amount for a queue of holders that come late. Not guaranteed but likely given the relatively small scale.
| Asset | Drained net of active claims | USD |
|---|---|---|
| USDT | ~20,110 | $20,110 |
| DAI | ~20,739 | $20,739 |
| WBTC | ~0.32 BTC | $25,977 |
| ETH | ~10.73 ETH | $25,170 |
3b — Pending claim (active Hydragon holders): $13,167
Wrapped-token balances on Hydragon held by 78 wallets transacting in 2025-2026 — reachable, legitimate claims against the drained collateral pool. Not counted as recovered until the holders comes forward via Telegram admin contact. After verification, DAO multisig tops up the holder directly in equivalent asset (USDC/USDT/DAI on Ethereum low-gas, BTC/ETH via OTC for the WBTC and ETH claimants).
| Asset | Active holders | Total balance | USD |
|---|---|---|---|
| USDC | 36 | 3,136.84 | $3,137 |
| WBTC | 19 | 0.10230 | $8,312 |
| ETH | 13 | 0.6137 | $1,439 |
| USDT | 6 | 29.78 | $30 |
| DAI | 4 | 248.87 | $249 |
No deadline; the queue stays open indefinitely. TBD
4.4 Category 4 — LP pools dump + project liquidity (~$36.9k)
Hacker dumped a slice of the drain into team-LP’d pools. These LP losses stay with the team and are not part of community recovery.
| Pool / slice | Detail | USD |
|---|---|---|
| sUSDe project slice (Ethereum) | Project portion of vault drain above the $172k Cat 1 line | $24,451 |
| LOC/WETH V2+V3 (Ethereum) | 677k LOC dumped via 1inch — LockTrip / founding-team LP | $6,839 |
| ANI/WETH on Base | 7.02M ANI → 2.412 WETH dumped via 1inch — founding-team LP | $5,590 |
| Total team-absorbed | $36,879 |
5. Vested ANI — raid-protected community-aligned floor
A coordinated 46M ANI vested floor (≈$69k at floor price) to be put off-market in two pools, with permissionless inactivity-protection via the ANIVestingWallet contract.
| Slice | Amount | Where |
|---|---|---|
| System-locked (BurnQ + BurnD + Raid sink) | 25M ANI | ANI tokenomics system addresses |
| Coordinated long-term-investor vesting | 21M ANI | individual ANIVestingWallet deployments (CLIFF or LINEAR, 1y or 2y) |
| Total off-market vested ANI | 46M ANI | ≈$69k floor value |
Raid-protection mechanism — ANIVestingWallet.ping()
ANI’s per-address inactivity timer (timestampBurn[holder]) burns inactive wallets for raid rewards after 365 days. To protect long-term vesters from being raided during their vest, the ANIVestingWallet contract exposes a permissionless ping() function:
-
Anyone can call
ping()on any vesting wallet -
28-day cooldown between successful pings (rate-limited)
-
A successful
ping()self-transfers 1 wei of ANI to trigger ANI’s_beforeTokenTransfersender path, which resetstimestampBurn[self] = block.timestamp + 365 days -
The vester’s inactivity timer is auto-extended for the entire vesting duration as long as anyone calls ping (the community has every incentive to)
This pool also serves as an open invitation to new long-term ANI investors willing to commit to 1y or 2y CLIFF vests, contributing to the off-market floor.
6. The V2 migration plan (the operational ask of this proposal)
6.1 Cutoff blocks (snapshot point)
| Chain | Cutoff block | UTC timestamp |
|---|---|---|
| Ethereum | 25,082,089 | ~2026-05-12 22:40 UTC |
| Base | 45,918,142 | ~2026-05-12 22:40 UTC |
6.2 Per-token execution
| Token | Old contract (V1) | Recipients | V2 total supply at deploy | Operator |
|---|---|---|---|---|
| LOC | 0x5e3346444010135322268a4630d2ED5F8D09446c (Ethereum) |
186 | 17,406,744 (720,219 holders + LP + 16,686,525 vault refill) | LockTrip |
| CHANGE | 0x7051faED0775f664a0286Af4F75ef5ed74e02754 (Ethereum) |
271 | 424,680,824 (101,811,058 holders + LP + 322,869,766 vault refill) | ChangeX (DAO advisory) |
| wHYDRA | 0x96C3530BFd0a906a123A4e26CEbB635636B41f9d (Ethereum) |
188 | 26,089,003 (incl. 25M DAO cold wallet line that transfers to the vault post-deploy) | Hydra DAO |
| HYDRA on Base | 0x916860Dbf7C91ed60E60947A91c1aF45F36d0485 (Base) |
1 | 26,000,000 (full pre-mint to ERC20DecimalsVault Base 0x7FEF9e5e…, no mint role) |
Hydra DAO |
| ANI | 0x48acdfaCC520cD50da3a5824E794daAc5677363e (Base) |
1 | 1,000,000,000 (founder’s bare ERC-20, full supply to ERC20DefaultVault Base 0x06f0b83E…) |
ANI project team |
6.3 Contract architecture — Shape A (pre-mint, no mint role)
All V2 contracts use OpenZeppelin v4.9.6 templates: ERC20 + ERC20Capped + ERC20Permit + Ownable. Pinned to solc 0.8.19 + EVM target london for Hydragon compatibility. Each contract pre-mints the full supply at deploy via a single batchMint flow, then calls finalize(expectedTotalSupply) which verifies the total and renounces ownership. After finalize, no mint authority exists on any V2 contract. Total supply is locked permanently.
The hacker EOA is hard-coded as an EXCLUDED constant in batchMint — the contract will revert if the address ever appears as a recipient.
6.4 Bridge restart
Bridges remain paused until all V2 deploys are complete and bridge wrappers are pointed at the new contract addresses + Multi sig migration is completed with time-lock mechanisms. Once routing is updated and the Safe multisig has been exercised to unpause via a real transaction, bridges resume normal operation against the V2 contracts.
Official announcement will be made when that happens. Likely couple of days after the snapshot migration is done.
7. Snapshot Methodology: Reverse-FIFO
The goal is to give each legitimate holder the same V2 balance they hold in V1 at the cutoff block, while giving the attacker and every wallet that received tainted V1 nothing.
The algorithm replays every Transfer event on each V1 token from a fixed pre-drain anchor block (Ethereum 25,015,397, Base 45,527,123 — verified to be blocks where the attacker held 0 across every token) forward to the cutoff block.
For each address, we maintain a FIFO queue of “tranches” of tokens, each tagged clean or tainted:
-
At the anchor, every holder is seeded with one clean tranche equal to their pre-drain balance. The attacker is seeded empty.
-
Post-anchor mints are tagged tainted (the bridge was compromised; the legitimate supply ceiling is the pre-drain total).
-
On each transfer, we pop the oldest tranche from the sender’s queue and push it to the receiver. Tranches keep their clean/tainted tag through every hop.
-
Two overrides: any transfer to the attacker is forced tainted; any transfer from a known DEX pool is forced clean (the pool purifies — a DEX buyer paid real money and the pool’s internal mix is opaque).
The final V2 mint per address = sum of clean tranches in their queue at cutoff, plus LP credits for wallets that held LP positions pre-drain (so LP owners are not zeroed out by the algorithm).
This approach is stable at any cutoff block — re-running with a later snapshot produces consistent results. It handles attacker fragmentation automatically: when the attacker moves tainted tokens to a fresh wallet, the algorithm propagates the tainted tag through, so the fresh wallet ends up with zero clean balance at cutoff.
7.1 Vault refills vs phantom mints
| Token | Drain pattern | V2 mint recipient |
|---|---|---|
| LOC | Vault drain (real LOC released from Ethereum vault) | Vault refill: 16,686,525 V2 LOC minted to ERC20DecimalsVault Ethereum |
| CHANGE | Vault drain (real CHANGE released from Ethereum vault) | Vault refill: 322,869,766 V2 CHANGE minted to vault |
| wHYDRA | Phantom mint (no vault on Ethereum side — bridge-mintable) | No vault to refill; 25M cold-wallet line covers bridge wrapper inventory |
| HYDRA-Base | Phantom mint (no vault on Base side — bridge-mintable) | Full pre-mint to bridge vault 0x7FEF9e5e… |
| ANI | Phantom mint (no vault on Base side — bridge-mintable) | Founder deploys; full 1B to bridge vault 0x06f0b83E… |
Cross-validation: every drain has been verified via attack-origin trace — the first-inbound transfer of each V1 token to the hacker, traced on-chain (2 vault drains for LOC + CHANGE, 3 phantom mints for wHYDRA + HYDRA-Base + ANI). The traces are published on the dashboard.
7.2 Hacker sub-wallets
199 hacker sub-wallets have been traced via the reverse-FIFO replay and are listed publicly on the dashboard. None receive V2. Each was identified through transparent on-chain propagation of the tainted tag — the same algorithm that decides legitimate holder credits.
8. Pre-coordination receipts
This proposal has been pre-aligned with all five operating teams:
| Team | Token | Status | Lead |
|---|---|---|---|
| LockTrip | LOC | Agreed; LockTrip leads LOC V2 deploy | Hydra DAO contributor (LockTrip representative) |
| ChangeX | CHANGE | Agreed; ChangeX leads, Hydra DAO advisory; MEXC + listing exchanges coordinated for D&W suspension around cutoff | ChangeX team |
| ANI project team | ANI on Base | Agreed; ANI project team deploys bare ERC-20 with full 1B supply to HydraBridge_Base entry; Hydragon-side ANI airdrops handled separately by founder | ANI project lead |
| Hydra DAO | wHYDRA on Ethereum, HYDRA on Base | Agreed; DAO core team executes both deploys | DAO core |
| LP NFT / V2-LP holders | All affected pools | Notified privately not to dissolve V1 LP positions before cutoff (dissolving early would double-credit via pool-purification override + LP pre-drain credit). Key wallets: 0x88eF5B70… (LOC + wHYDRA), 0x04B6622a… (CHANGE) |
DAO contact |
LP credits are computed against pre-drain pool balances and distributed directly to the LP NFT / LP-token owner wallets — not to the pool contract addresses.
9. How the veto works
Most of this thread is a coordination update — the mitigation, the donor commitments, the 46M ANI vested floor, the project-team coordination. The Hydra DAO has direct authority over wHYDRA and HYDRA-Base only; the LOC, CHANGE, and ANI migrations are operated by their respective project teams (LockTrip, ChangeX, ANI project team) and proceed on their schedule. They’re shared here for transparency, not for DAO ratification.
If you want to raise an objection to any token (wHYDRA, HYDRA-Base, or any of the project-team-led ones), reply in this thread with the token and your reason. Any reason is fine. A vote-tally contract will be opened at [VETO CONTRACT ADDRESS HERE] for on-chain vote weighting. If a veto reaches the proposed 20% threshold of voting power before the snapshot moment, the wHYDRA and/or HYDRA-Base deploys halt; for LOC, CHANGE, ANI the signal is forwarded to the relevant team but structurally those proceed.
The discussion window is intentionally short — the bridge has been paused for over a week, the migration tooling has been audit-cleared, and the attacker is actively fragmenting his V1 across fresh sub-wallets daily. If the community judges the window is too short on non-emergency grounds, vote to defer; the wHYDRA + HYDRA-Base deploys will hold for a longer review.
10. Timeline
| When | Action |
|---|---|
| Now (post time) | Discussion window open in this thread |
| T−0 (cutoff) | Cutoff blocks mine; balances locked on-chain |
| T+30min | Reverse-FIFO snapshot re-run at exact cutoff; mint lists locked, SHA-256 hashes published |
| T+30min → T+1h30 | V2 contracts deployed, batched, and finalized (renounced) per token, by each operator |
| T+4h | Recovery dashboard updated with V2 contract addresses |
| T+1day | Governance Multi-sig Finalization |
11. Composite recovery health
| Category | At-risk | Mitigated now | Projected (30d, with soft-commits) |
|---|---|---|---|
| Cat 1 — Active community (sUSDe deficit) | $172k | $69k (vested floor) | $169k (vested + $75k confirmed + $25k aspirational) |
| Cat 2 — Paralyzed / mitigated hacker holdings | $649k | $649k (paralyzed + paused + no liquidity) | $649k |
| Cat 3a — Likely orphaned vault drain | $91k | $91k (mitigated by default) | $91k |
| Cat 3b — Pending claim (78 active holders) | $13k | $0 (top-up on claim) | up to $13k |
| Cat 4 — LP pools dump (team-absorbed) | $37k | $37k (project-absorbed) | $37k |
| Total | ~$962k | ~$846k (87.9%) | ~$1.02M (~106%) |
Per-category breakdown updates live on the dashboard.
12. Safes & key on-chain references
2/4 Gnosis Safe deployments:
| Chain | Safe Address | Managed Via |
|---|---|---|
| Ethereum | 0x5E46019590C5A923886acBa19cB1C8150FB8Ca82 |
app.safe.global |
| Base | 0xF7D2F0946eb69954e1E44Bd9B76B63AC787f6cDA |
app.safe.global |
| BNB | 0x008C8c74Bd25A4202A31AF18106501D3A7095B40 |
app.safe.global |
| Polygon | 0x53F35c91bb2583F9Da77E27B191629E43eB9317F |
app.safe.global |
| Hydragon | 0x1B4A1b89cEfBa22a8B7D6469Ef52b9fd20f8FC04 |
multisig.hydrachain.org |
Safe signers (4 on new Safes, 3 on Hydragon): 0x44992551FEF7a8Eff4843d4c4795CCF8396f6E65 (DAO cold), 0x253Ff1415B904C578902298393ad59c502e46f04, 0x5d6A857DC098dD31A8E5A123457938ef77d7818D, 0xd6d36Dbd6c61a073d055e12909Fb8A13B8ab3717
New defender key: 0x54E0B6f92Dd6E64dFCcC6d040826A4E6a9488AeF
Pledge vault (Cat 1): 0x5E46019590C5A923886acBa19cB1C8150FB8Ca82 (Ethereum multi-sig Safe) - Any community donations that come will be used for hte mitigation plan
KuCoin frozen deposit (Cat 2/recovery): 0x2DFC9489EEd4df04407a6323087f88EE3382FA97 — 50,000 HYDRA — TX 0x8ab67e5fab34478e2c3500d5c1e5a4dabaf4e88c69d7b04f09c3c80c1cb44d3a
Hacker EOA (excluded everywhere): 0xd06e82e2acd26848f86d0F559F7037cd8896071b
13. Recovery dashboard
Live status, full per-token plan, hacker sub-wallet list, defense-layer breakdown, KuCoin freeze details, Category 3b active claimant queue, attack-origin traces per token, vested-ANI floor breakdown, and live composite mitigation totals are all on the recovery dashboard:
https://recovery.hydrachain.org/
The dashboard updates in real time as the migration executes, soft-commits settle, and 3b holders come forward. V2 contract addresses will be posted as each deploy completes.
14. The discussion window
This proposal opens a fast-track inverted-veto window that runs from the moment of posting up to the snapshot blocks (Ethereum 25,082,089 and Base 45,918,142). The window is intentionally short given the urgency of the remedy plan and the fact that the attacker continues to fragment stolen V1 across new sub-wallets daily. Note: the binding effect of the veto is limited to wHYDRA and HYDRA-Base (the tokens under direct Hydra DAO authority — see §9). For LOC, CHANGE, and ANI the veto is advisory; the relevant project teams will hear the signal but proceed on their own schedules.
The fast-track length is driven by two operational factors:
-
Hacker fragmentation risk on Ethereum. The attacker has been moving stolen V1 between fresh sub-wallets since May 11 — 199 sub-wallets identified so far. The reverse-FIFO algorithm is fragmentation-immune by design (every sub-wallet is auto-excluded once traced), but a longer delay creates more sub-wallet hops for forensic-team coordination.
-
Bridge stays paused until V2 lands. Every additional hour the bridge stays paused is an hour of stranded user funds on Hydragon-side wrappers (Cat 3b — 78 reachable holders waiting on top-up).
If the community judges this window is too short for fast-track snapshot, vote to defer. A defer-vote reaching the 20% threshold halts execution and re-opens a longer review window; we will re-post this thread with a new cutoff at that time. If no veto or defer reaches threshold by the snapshot moment, the migration proceeds as described in §6.
15. Discussion
Replies welcome on anything in this thread — methodology questions, per-token concerns, the veto threshold, the window length, soft-commit timing, the broader recovery framework, or anything else. If you want to halt one of the deploys, name the token and your reason — short reasons are fine.