On March 9, 2023, Hedera Hashgraph suffered a network-level smart-contract-service exploit — approximately $515K drained from liquidity pools (SaucerSwap, Pangolin, HeliSwap) on Hedera. The bug was in the Hedera Smart Contract Service's code that decompiles Ethereum-style calls into Hedera Token Service operations, letting the attacker transfer HTS tokens out of victim accounts during contract execution. Hedera paused the entire mainnet in response.
What happened
Hedera's EVM-compatibility layer translates Solidity-style token calls into native Hedera Token Service operations. A flaw in this translation/decompilation code allowed an attacker to move HTS tokens held by liquidity-pool accounts during otherwise-normal contract interactions. The Hedera council took the unusual step of turning off mainnet proxies (pausing the network) while the core bug was patched.
Aftermath
- Hedera paused mainnet, patched the Smart Contract Service, and resumed after fix verification.
- Affected DEXs and the council coordinated remediation; partial recovery.
Why it matters
Hedera is one of the catalogue's few network/protocol-level entries (alongside the Saga Ethermint bug) rather than an application-contract bug. The vulnerability was in the chain's own EVM-compatibility implementation — not in any deployed dApp. It reinforces a theme from SagaEVM: alt-EVM and EVM-compat layers carry their own attack surface beyond canonical go-ethereum, and a bug there applies to every contract on the chain at once. The drastic response — pausing the entire network — is only available to chains with sufficiently centralised governance, the same trade-off seen at Sui/Cetus and Terra/Astroport.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-hedera-hack-march-2023
- [02]crypto.newshttps://crypto.news/hedera-temporarily-disables-network-services-after-exploit/
- [03]rekt.newshttps://rekt.news/hedera-rekt