When an attack can complete in a single transaction, the teams that stop it have already connected detection to an onchain action that fires without waiting for anyone to review an alert.
Automated incident response in DeFi means binding a detection signal directly to a pre-authorized onchain action, so that when an attack begins the protective move executes in seconds with no one reviewing an alert first. Protocols and digital asset managers run this in three patterns: an automated contract pause bound to detection, a pre-staged exit that unwinds a position the moment a threat fires, and pre-transaction policy enforcement that blocks a malicious transaction before it executes. Parallel, Clearstar Labs, and Edge Capital each built one of these on Hypernative, and in Parallel's case the configuration stopped an attacker who had spent 57 days positioning for a $1.52 million exploit and walked away with nothing.
On May 7, 2026, an attacker deployed an exploit contract targeting Parallel's USDp stablecoin. Hypernative's Onchain Monitoring & Automated Response detected the deployed contract in real time, scored it as malicious, identified Parallel as the target, and paused the relevant contracts within seconds. When the attacker submitted the attack transaction, the protocol was already locked. No funds moved. The attacker had spent 57 days quietly positioning, accumulating roughly 99% of the Ethereum sUSDp supply across two independently funded wallets to capture an ERC4626 inflation mechanic, with about $1.52 million positioned to extract by the post-mortem's accounting. The pause was not a person reviewing an alert and deciding to act. It was a pre-configured response bound to the detection signal, executing within a handful of blocks.
Read more: How an Automated Pause Prevented a $1.52M Exploit on Parallel
The distinction is the whole story, because the window an attacker leaves is measured in blocks, not minutes. A flash loan attack can complete in a single transaction. An inflation attack like the one aimed at Parallel resolves the moment the attacker mints against a manipulated share price. For a human to intervene, someone has to receive the alert, assess it, judge it, and execute a protective transaction, and that chain breaks under stress at odd hours. The Parallel attack also arrived during one of the most active hacking stretches in recent memory, a surge driven in part by AI-assisted tooling that lowers the barrier to constructing sophisticated attacks and accelerates how fast adversaries find accounting edge cases. Attackers are arriving prepared. The protocols that stop them are the ones that prepared first.
The speed of Parallel's response was a product of architecture decisions made during onboarding, months before the attack. A central design requirement was separating alert thresholds from pause thresholds: a mild deviation triggers a human-readable alert, while a more severe deviation triggers an automated onchain pause with no human action required at the moment of execution. Achieving that meant granting the pause role to a Hypernative-controlled address directly rather than routing the pause through a multisig, which would have introduced approval latency that could cost hours. The pause action itself is a single contract call bound to the agent detection, configured and authorized before launch rather than assembled during an incident. Noah, founder and CEO of Cooper Labs, the service provider for Parallel, said the team accepted the tradeoff deliberately: "We'd rather have a false pause we can investigate than miss a real attack by 60 seconds."
That tradeoff is the one most teams resolve only after an incident forces the question. When Hypernative detected unusual activity on an Olympus DAO utility contract within three minutes early on a Saturday in September 2024, the response still depended on a person being awake to act, and the team limited losses to $29,000 for a protocol holding $180 million in treasury assets. After the incident, the Olympus team moved to automate its pause function so the next response would not require anyone to wake up at all.
Read more: Beating the Hack: How a Timely Alert Helped Olympus Save User Funds
Parallel designed that same principle in from the start. SparkDEX, on the Flare chain, ran the pattern preemptively in August 2025, when Hypernative flagged an attacker's contract deployment at 3:56 a.m. UTC, before the first exploit transaction landed, and the perpetuals module was paused before the attack could execute. The common thread is that detection only protects funds when it is wired to an action that does not wait for a decision.
A pause is the right move for a protocol that controls its own contracts, but it is not the only automated response, and the correct one depends on what a team is protecting. Clearstar Labs, a Switzerland-based quantitative DeFi manager, used Hypernative's Onchain Monitoring & Automated Response with pre-recorded transactions connected to its institutional wallet infrastructure to configure an automated exit on a protocol where it was providing liquidity. When that protocol was exploited, the exit workflow executed before the team was even aware of the hack. The researchers received a Telegram notification that the exit had completed, reviewed the situation, and confirmed the protocol had been compromised while their funds were already out. Jashiel Alamo, head of DeFi research at Clearstar, said the speed of response is what makes onchain exposure tenable: "Since smart contract risk is inherent to any onchain exposure, it is vital to be able to monitor and respond to onchain threats in seconds."
Read more: Beating the Hack: How Clearstar Saved Thousands Using Onchain Automation
A third pattern moves the response earlier, to before a transaction executes at all. Edge Capital, which manages approximately $700 million across DeFi strategies with an average of 300 daily transactions, uses Transaction Guard as a policy enforcement layer across custody infrastructure spanning Fireblocks, Fordefi, and internally managed wallets. Rather than reacting after a malicious transaction confirms, the system simulates transaction intent and enforces policy at the transaction layer, stopping a threat before execution. Before the integration, the team maintained manual risk parameters for hundreds of protocol-specific checks that contract inner calls and offchain messaging could slip past. Gleb Zverev, blockchain developer at Edge Capital, said the requirement was enforcement, not just visibility: "We needed real-time interpretation and enforcement across all our vaults to protect against both external and internal threats." Pre-transaction enforcement and reactive pausing solve different halves of the same problem, and treasury and custody operations often need both.
Teams that have actually stopped exploits with automation tend to optimize for the same few properties, and they are worth evaluating against any platform under consideration.
The first is detection bound directly to action, with no human required at the moment of execution. The teams that limited losses had the protective action pre-authorized and connected to the detection signal. The ones that depend on a responder reviewing an alert at 3 a.m. lose the window the attacker leaves, regardless of how fast the detection itself is.
The second is separation of alert thresholds from action thresholds. A system that pages a human on mild deviations but pauses autonomously on severe ones avoids both the alert fatigue that comes from over-triggering and the missed window that comes from waiting on a person. The threshold logic should be configurable per contract and per condition, not a single global setting.
The third is execution latency that beats the attack, which in practice means keeping multisig approval out of the critical path for automated responses. Routing a pause through a multisig can add hours of signer-coordination latency; an attack completes in blocks. Granting a scoped, revocable action role to the response system removes that delay while keeping the action auditable.
The fourth is a response menu broad enough to match the exposure. A protocol that controls its contracts needs an automated pause. A liquidity provider needs a pre-staged exit connected to its wallet infrastructure. A treasury or custody operation needs pre-transaction enforcement that blocks a bad transaction before it confirms. A platform that supports only one of these forces teams to leave part of their exposure on a manual workflow.
See how Hypernative's Onchain Monitoring & Automated Response closes each of these gaps. Request a demo.
Secure everything you build, run and own in Web3 with Hypernative.
