An attacker spent 57 days quietly positioning for an ERC4626 inflation attack against Parallel protocol's savings vault. The exploit never landed. Here's how the defense held.
On May 7, 2026, an attacker deployed an attack contract targeting Parallel’s USDp. Hypernative's live monitoring instantly flagged the attack contract upon deployment and automatically paused Parallel’s cross chain deployment within seconds. When the attacker tried again at 20:52:23 UTC, the protocol was already locked.
No funds were lost. By the post-mortem's accounting, the attacker had positioned to extract over $1.52M in USDp. None of it moved.
The Parallel attack arrived during one of the most active hacking stretches in recent memory. April alone saw major incidents at Drift and KelpDAO, part of a wider surge in successful exploits that reflects a structural shift in the threat environment. AI-assisted tooling is lowering the barrier to sophisticated attack construction and accelerating the pace at which attackers can identify and exploit accounting edge cases. Attackers are coming prepared. The difference, increasingly, is whether the protocols are too.
We're grateful the automated pause did exactly what we built it to do. This incident proved to us that the security posture we designed from the beginning was the right one. In this environment, being prepared before something happens is the only position that matters.
Noah, Founder & CEO @ Cooper Labs (Service Provider for Parallel)
Starting 57 days before the attack, an adversary quietly accumulated approximately 99% of the Ethereum sUSDp supply across two independently funded wallets, exploiting two specific conditions on that deployment: a small total supply of roughly 2.7K sUSDp and a 40-day dormancy window in which no vault interactions had occurred. That dormant accrued yield would flush as a single lump on the next interaction, an ERC4626 inflation mechanic the attacker intended to capture by holding near-total supply at the moment of minting. A few hours before the attack, the attacker also created a Safe multisig, assessed by Parallel's team as a likely attempt to obscure the onchain footprint from monitoring systems.
On May 7, the attacker deployed an exploit contract and submitted the attack transaction. Hypernative's platform detected the deployed contract in real time, flagged it with a high malicious score, and identified it as targeting Parallel. That triggered an automated response, pausing the relevant contracts before the attack could complete. No funds were lost. For the full technical timeline, transaction hashes, and forensic detail, see Parallel's post-mortem.
Two independent controls acted in sequence. Either one, Parallel noted in its post-mortem, would have been sufficient on its own.
The speed of the automated response was not accidental. It was the product of architecture decisions Parallel made during onboarding months earlier.
A central design requirement was separating alert thresholds from pause thresholds. The team configured conditional logic so that a mild deviation triggers a human-readable alert, while a more severe deviation triggers an automated onchain pause, with no human action required at the moment of execution. Achieving that required granting the pause role to a Hypernative-controlled address directly rather than routing the pause action through a multisig, which would have introduced approval latency that could potentially cost hours.
Parallel configured watchlists across its full deployment: Ethereum, Base, HyperEVM, Avalanche and Monad. Monitored contracts include the core USDp stablecoin, the swapper and bridgeable token contracts, the savings vault, and the LayerZero bridging module. Multisig addresses are monitored for signer changes and unexpected transaction initiations.
The pause action is a single contract call connected directly to the agent detection. When a malicious contract targets a customer's contracts, the Platform executes the pause without a human in the loop. The Parallel team explicitly designed the role grant and the action binding before launch.
Connecting the detection directly to the pause action, without a human in the loop at the moment of execution, was the piece that made this work. We'd rather have a false pause we can investigate than miss a real attack by 60 seconds.
Noah, Founder & CEO @ Cooper Labs (Service Provider for Parallel)
Parallel is a Capital-efficient, modular, over-collateralized & decentralized stablecoins protocol. Backed by yield-generating correlated assets. Learn more at parallel.best and follow Parallel on X.
Hypernative is a real-time monitoring, risk detection and automated response solution that identifies threats with high accuracy and gives customers precious minutes to respond before exploits can do damage. The platform tracks both onchain and offchain data sources and uses battle-tested, sophisticated machine learning models, heuristics, simulations, and graph-based detections to identify over 300 risk types, from smart contract hacks and bridge security incidents to frontend compromises, market manipulations and private key theft.
Reach out for a demo of Hypernative’s solutions, tune into Hypernative’s blog and our social channels to keep up with the latest on cybersecurity in Web3.
Secure everything you build, run and own in Web3 with Hypernative.
Website | X (Twitter) | LinkedIn
