Hello alpha seeker,

The biggest news of the week comes from the Solana ecosystem, where Drift was exploited for ~$270M. It’s significant enough to dive into it and see how it affects Hyperliquid as well, especially given the chatter on socials.

Aside from that, HIP-3 OI hits new ATH, but volume in general is down, along with token performance since last week.

Let’s dive into the full weekly recap.

Information gathered at midnight UTC at the end of the week. Swings are high, so for most up-to-date token prices, check Hyperliquid.

You might have heard this already if you’re following crypto news in general because it’s a big one.

Drift, a perp DEX protocol on Solana, was hacked for ~$270M on 1st April 2026. The issue was a compromised 2/5 multisig with no timelock, which allowed the hacker to supply a manipulated token as collateral and “borrow” things like stablecoins, wrapped BTC and ETH, SOL, and more.

You might be thinking: “This is a Solana protocol, why are you talking about it in the Hyperliquid updates?”

Because the reason for the hack reminded people about Hyperliquid’s Arbitrum bridge for USDC.

This bridge requires 2/3 of the staking power to sign withdrawals, let’s call them “hot validators,” and there’s a 3/4 multisig for admin config, which can override the system configuration.

Now, this is one of the risks we know exists for Hyperliquid, which we mentioned in our very first post.

More importantly, though, compromising a 3/4 is significantly harder than a 2/5. With Drift, there are 10 possible pairs that unlock the multisig; with Hyperliquid’s (known) multisig, there are only 4 possible combinations, which significantly reduces the attack surface.

This is before any other layers of security that might not be publicly documented to avoid exactly relaying the best attack vectors.

To give an example, if we assume the same probability for every signature to be compromised, give it a 5% chance (relatively high already), the 3/4 is 47x more secure. At 1%, it’s roughly 247x more secure.

The math, with the help of Claude:

Of course, this doesn’t account for a possible supply chain attack in shared infrastructure.

So, the core points here:

The Drift team did an initial update, and while they wrote many words and tried to explain the social engineering side of it, the one thing they don’t address is: “Why did the team have admin keys on dev devices regularly used to download all kinds of stuff?”

Most standard and basic opsec is to have a dedicated device you use just for admin keys, and which you only connect minimally, strictly as needed. Nothing else on it. Nothing!

We also have people suggesting Hyperliquid has already been compromised, which just shows how much bad faith there is in the industry when their bags are hurting.

As we mentioned before, nothing and nobody is 100% unbreakable.

But coming back to team competence, Hyperliquid specifically does not do “partnerships,” so the code and dependencies are also not opened up to every conference connection who wants to trade on the platform.

Quite the opposite, the core team gets criticized for not “helping” onboard people more personally and instead letting people “figure it out with the permissionless framework and the available documentation.”

In other words, the chances of anyone on the Hyperliquid core team getting blinded by the same “opportunity” as the Drift team probably decrease the chances of an exploit vs the average rather than increase them.

In more positive news, HIP-4, aka outcome trading, is close to mainnet.

The testnet implementation is eligible for mainnet-level bug bounties, which usually means ~4 weeks until mainnet deployment if everything works as expected.

For a deeper dive into what we know about HIP-4 so far, check out this breakdown by @Yaugort. 

Portfolio margin is also now available for anyone with $10k+ in trading account value starting this week.

This opens it up to significantly more users, and it seems to be very close to “universally available.”

Kinetiq buybacks are live, and kHYPE v2 is rolling out today. With these updates being live and official, we had a deeper look at our KNTQ allocation. You can read our in-depth analysis here. Also, this means S2 is likely to extend more than we initially speculated.

Valantis releases early access for its Prime DCA feature. Nice little feature if you want to consistently buy HYPE or BTC without babysitting or tons of manual work. We haven’t applied for this yet, but we’re definitely interested in it when open to everyone.

Paragon launches HIP-3 DEX. Their goal is to transform market indices into tradable instruments, starting with BTCD, TOTAL2, and OTHERS. You can read the full docs here to get a better understanding.

Hyperliquid Android app MVP released. We’re surprised by this, given that the previous signal was for builders to take the opportunity to be “the mobile app” to access Hyperliquid. Maybe builders were too slow, maybe the core team’s mobile app will stay more “basic.” Let’s see.

Sushi integrates perps powered by Hyperliquid. Another noteworthy integration via builder codes. These integrations are becoming a stronger and stronger distribution channel for Hyperliquid, so it’s always great to see a new one.

Perhaps some news on Perps.fun? Maybe KIP-2 implementation delayed their Launch partnership with Kinetiq. As mentioned before, we’re just following, not something we’d allocate any of our HYPE into.