Hive-Swap Dev Update — May 13 → May 27, 2026

This cycle was split in two by the May 18 Hive Engine security incident. The first half was router hardening and infrastructure work; the second half was incident response, then a burst of auto-slippage improvements and a full analytics dashboard overhaul. A lot shipped.

---

HE Security Incident — May 18 Response

On May 18 at ~5am EST, Hive Engine's EVM bridge systems were compromised. The response was immediate:

• EVM and Solana bridges taken offline — Ethereum, BSC/BNB, Base, Polygon, and Solana bridge UI removed and the /api/v1/bridge/in/build endpoint returns 503 BRIDGE_DISABLED for any type: evm request. The /gateways response filters those chains out entirely.
• HBD bridge paused — the DSwap/graphene-swap gateway keys were rotated as a precaution. The HBD tab is removed from the bridge UI until keys settle. HIVE (SWAP.HIVE), BTC, LTC, DOGE, and BCH remain fully operational.

Separately, a real user loss surfaced on the same day: a market.sell inside a multi-op custom_json array was reverting with "balance does not exist" and burning the platform fee (op 1) with no value delivered. The Hive Engine market contract rejects book ops when they arrive as part of a JSON array (HE's "multiTransaction" mode) if the user has no pre-existing market balance entry or insufficient DRUBBLE for the multi-tx fee. The fix in keychain.ts: detect market.* ops at broadcast time and send each as a standalone JSON object rather than part of an array. Non-market ops before and after (fee transfer, pool swaps, BEED bootstrap) still batch normally. Net effect on Keychain prompts for book-route swaps:

Single-hop pool only:       1 prompt  (unchanged)
Single-hop book only:       2 prompts
2-hop book + peg-out:       3 prompts

---

Auto Slippage — Swap Widget, Treasury, and API

The swap widget now ships with Auto slippage on by default. The formula: priceImpact + 0.5% buffer, rounded up to the nearest 0.5%, capped at [0.5%, 5%]. The button label updates live once a quote is available — "Auto 1.5%" — and reverts to "Auto" when no quote exists. Selecting any manual value exits auto mode; restoring a pending sig-2 draft also exits it (preserves the saved value).

The default for manual slippage was also raised from 1% to 2%, and the HIVE↔SWAP.HIVE peg memo helpers now clamp slippage to Math.max(slippagePct, 2) internally. The problem: with auto mode set to 0.5% on a low-impact DEX swap, that 0.5% was getting passed straight into the uswap peg memo — leaving only 0.59% total tolerance (0.5% + the 0.09% coded fee assumption). uswap's actual fee exceeds that and triggers REFUND: Result Below Memo Value. Peg operations are nominally 1:1 so the memo slippage is purely a fee buffer, not market slippage protection — a 2% floor is safe regardless of what the user's DEX preference is.

The treasury sweep had the same root problem but worse: it was using a fixed TREASURY_SLIPPAGE_BPS=100 (1%) for all tokens regardless of pool depth. A 25k SCRAP position through the thin SCRAP:FLUX pool has 10-30%+ price impact — 1% minAmountOut is unreachable and the on-chain op was reverting. The fix: two-pass quoting. First quote at 50% slippage to read priceImpact, then compute ceil((impact + 0.5) * 2) / 2 capped at 20% (higher cap than the UI — the treasury cares about completing the conversion, not UX), then re-quote with that value to get the correct minAmountOut in the broadcast ops.

For API integrators, /api/v1/quote now accepts an optional autoSlippage: true field. When set, the response includes recommendedSlippagePct — the same impact-derived formula, capped at 5%. The typical pattern:

POST /api/v1/quote
{ "fromSymbol": "DEC", "toSymbol": "SWAP.HIVE", "amount": "1000", "autoSlippage": true }

→ { "ok": true, "data": {
    "quote": { ... },
    "recommendedSlippagePct": 2
  }
}

Then pass that value directly as slippagePct to /api/v1/swap/build. Backwards compatible — the field only appears when requested.

---

Analytics Dashboard — Instant Loads and Full Rebuild

The /stats page went through a full rebuild and a critical performance fix.

Instant loads on first visit: The page was previously a client-only component that showed a loading skeleton until two API calls returned. On a cold Cloudflare Worker isolate, those API calls were triggering maybeSync() → runActivitySync() — the full 30-60 second sync pipeline (50 pages of HE/L1 fetches + D1 inserts + route pre-warming). The fix has two parts: (1) the server component now fetches summary, tokens, and recent activity from KV/D1 at request time and passes the data as props, so the HTML arrives with content already rendered; (2) reads never trigger a sync anymore — maybeSync() is removed from the cache path entirely. The cron (*/2 * * * *) owns syncing; a KV miss falls straight to a D1 query (< 500ms). KV TTL was also raised from 5 minutes to 1 hour so a slow cron run doesn't immediately expire the cache.

HIVE price accuracy: The dashboard was using the HE AMM spot ratio (SWAP.USDT:SWAP.HIVE) which drifts when pools are unbalanced. Switched to condenser_api.get_current_median_history_price, the L1 witness-median price reflecting external exchange data voted hourly. Falls back to the pool ratio if the L1 RPC is unavailable.

Daily active users: The Users chart now shows three series: new accounts (bars), daily active accounts (line, from COUNT(DISTINCT from_account) per bucket fired in parallel with the existing query), and cumulative users. The D1 query runs alongside the existing aggregation at no extra latency cost.

Data freshness badge: A green "Cached · 3m ago" capsule is now visible in the dashboard header and the Recent Activity section header, derived from summary.generatedAt and the last successful activity fetch respectively. The old polling spinner is gone.

The analytics API endpoints (/analytics/summary, /analytics/tokens, /analytics/recent, /analytics/refresh) are now restricted to same-origin. A new withInternalApi guard strips all Access-Control-* headers and returns 405 for OPTIONS preflight — cross-origin browser requests are blocked while the dashboard's own same-origin fetches continue to work.

---

Also shipped this cycle

• Router: dust-orderbook trap closed — The final-hop 10-satoshi output guard was only applied to intermediate hops. A 25k BONUS→SWAP.HIVE sell against a lone 1-satoshi bid produced 2.69e-10 SWAP.HIVE (below 8-decimal precision floor, rounds to zero) and the user lost their fee with no value received. Guard now applies to every hop including the last; the router returns NO_ROUTE instead of building a zero-output op.

• Router: multi-hop drift buffer — Fixed revert-on-final-hop for 3-hop routes: slippagePct was applied flat to the final minAmountOut with no allowance for drift accumulating across N pools. New PER_HOP_DRIFT_BPS = 50 adds 0.5% per extra hop to the effective slippage (1-hop: 1%, 2-hop: 1.5%, 3-hop: 2% at default settings).

• Router: BEED-aware routing on API — /quote and /swap/build now accept username for BEED-aware route selection. Accounts holding < 0.002 BEED get pool-only routes and builds, avoiding the market.* multi-tx fee that would revert the swap.

• Typed fee memos — Platform fee tokens.transfer ops now carry structured memos: HiveSwap swap: A→B | r:XXXXXX for swaps, HiveSwap peg-in: HIVE→Base | r:XXXXXX / HiveSwap peg-out: SWAP.X→Y | r:XXXXXX for bridge fees. The 6-hex r: ref is per-build random for cross-referencing wallet entries to build responses.

• Gateway latency endpoint — GET /api/v1/gateways/latency returns observed p50/p90 wait times per gateway direction, refreshed every 5 minutes by a dedicated cron from on-chain transfer pairs. Used by the swap widget to show live wait-time estimates.

• Points system polish — /points info page with tier table, level curve, and badge grid. Badge icons replaced generic colored squares with themed SVG silhouettes (ocean-creature tier ladder: shrimp → crab → octopus → dolphin → shark → whale + milestone badges). Points entry point in the nav moved from a text link to a glimmering medal icon adjacent to the wallet button.

• KV cost controls — Client-side HE fetches (tokens, pools) routed through KV-cached internal endpoints to stay within Cloudflare free tier write limits on high-traffic days.

---

Try it: hive-swap.com
Public API docs: hive-swap.com/docs/api
Follow: @hive-swap