Late in the night of March 26, the treasury of the decentralized trading platform Hyperliquid faced a liquidation risk of up to $240 million due to price manipulation of memecoin $JELLYJELLY.
Previously, a whale with 50x leverage on Hyperliquid had used similar methods to actively liquidate its long positions, putting Hyperliquids vault at risk of loss.
(For details, please see Hyperliquids 50x leverage whale has closed all its positions, and 160,000 ETH long positions have been actively liquidated)
The attack last night not only exposed the vulnerability of DeFi/DEX platforms in high-leverage transactions, but also became more complicated due to the active assistance of centralized trading platforms (CEX) - this is more like a mantis stalking a cicada, while the oriole is behind:
Attackers want to profit through price manipulation, and CEX wants to attract users and traffic by listing popular tokens, indirectly undermining the fund security and reputation of competitor DEXs.
If you don’t know much about Hyperliquid and this attack, we have also collected summary posts and analyses from all parties, trying to review the full picture of the incident, popularize the principles of the attack, and explore the motivations of all parties.
The whole story: from short positions to treasury crisis
First, you need to know what Hyperliquid is.
Hyperliquid is a decentralized trading platform based on its own Layer 1 blockchain, providing perpetual contract trading, aiming to combine the advantages of centralized and decentralized trading platforms.
Its vault HLP is a community-owned protocol vault that is responsible for market making and liquidation, allowing users to deposit to share profits and losses. According to Vaults | Hyperliquid Docs, HLP deposits have a 4-day lock-up period to support platform liquidity.
So, what was the whole process of the attack on the HLP vault?
(Photo source: Aunt Ai’s Twitter post)
Opening a short order: According to Aunt AI’s monitoring, the attacker opened a $4.08 million $JELLYJELLY short position on Hyperliquid through an address (such as 0x de 9...f 5 c 91), with an opening price of $0.0095 and a margin of 3.5 million USDC.
· Depressing the price to trigger liquidation: Another address (such as Hc 8 gN...WRcwq) sells $JELLYJELLY in conjunction with spot, depressing the spot price and making the short position show floating profit. The attacker then withdraws 2.76 million USDC margin, triggering liquidation, and the vault takes over the position.
· Raising the price and increasing losses: After the liquidation, the attacker bought $JELLYJELLY in two waves at 21:01 and 21:45 to increase the price. According to Coingecko data, the price rose by 230% in a short period of time, causing the short position loss of the vault to increase.
CEX actively intervenes: As long as JELLYJELLY continues to rise, the short position loss will be further aggravated; at this time, Binance and OKX launch $JELLYJELLY perpetual contract, which attracts a large amount of trading volume, and the price rises further, aggravating the treasury loss.
· The vault is at risk of a run: As of March 27, 2025, the vault has a floating loss of $10.63 million, and the TVL has dropped by about $20 million. The latest TVL is $231 million (Hyperliquid dashboard). If the price of $JELLYJELLY rises to $0.17, the vault may be liquidated, with a loss of $240 million.
Hyperliquid delisted JELLYJELLY without any losses: Afterwards, Hyperliquids treasury liquidated 392 million JELLY tokens (about $3.72 million) at $0.0095, making a profit of $703,000 without any losses. At the same time, after Hyperliquid found evidence of suspicious market activities, the validators convened a meeting and voted to delist the JELLY perpetual contract, and all users will be fully compensated by the Hyper Foundation.
Price manipulation and the “assistance” effect of CEX
If you are a little confused, you might want to understand the coordination between short orders and spot orders, as well as the principles of CEX assistance.
A short position (short selling) is when an investor borrows an asset and sells it, hoping to buy it back at a lower price after the price drops and make a profit.
For example: Assuming the price of $JELLYJELLY is $0.10, the attacker borrows 1 million and sells them, receiving $100,000. If the price drops to $0.05, they buy it back for $50,000 to repay the loan, making a profit of $50,000. But if the price rises to $0.15, they need to buy it back for $150,000, losing $50,000.
Hyperliquid’s Liquidation Mechanism
On Hyperliquid, positions are liquidated when a traders margin is insufficient to cover potential losses. According to Liquidations | Hyperliquid Docs, liquidations use the mark price (a combination of external CEX prices and Hyperliquid order book status) to ensure more robust liquidations. After liquidation, the HLP vault takes over the position and assumes subsequent risks.
Let’s take a look at the short selling and spot buying in the previous chapter:
The attacker’s logic: Suppress the price – trigger liquidation – create losses
The attacker opened a short position of $JELLYJELLY at $0.0095 and simultaneously sold spot to drive down the price, making the short position appear profitable.
The reason why this is so easy to achieve is that the attackers target is Memecoin $Jellyjelly, which has a depth gap of N times, making price manipulation much easier.
The attacker withdraws most of the margin (e.g. 2.76 million USDC), making the short position impossible to maintain and triggering the liquidation mechanism. The Hyperliquid vault has to take over the short position.
The key point is that if the attacker buys $JELLYJELLY at this time, the price will rise to $0.16. The vault needs to buy back $JELLYJELLY at a higher price to close the short position, which will increase the loss.
How CEX assists
CEX launched the $JELLYJELLY perpetual contract, which has an obvious assisting effect.
CEX has a huge user base and trading volume. After launching the $JELLYJELLY perpetual contract, it attracted a large number of speculators to enter the market. This move significantly pushed up the price of $JELLYJELLY, further exacerbating the short position losses of the vault.
You can also see from the reply post below that CEX’s intention to take the initiative to intervene is also very obvious.
Subsequent impact
Although Hyperliquid took quick action to remove the $JELLYJELLY perpetual contract and did not cause actual losses to the vault, the incident exposed the vulnerability of DeFi platforms when facing high-leverage transactions and price manipulation.
More importantly, this incident has triggered widespread community doubts about Hyperliquid’s liquidation mechanism and decision-making transparency. Users are concerned about whether the platform can continue to keep their funds safe in similar incidents in the future, and also question whether the platform is truly decentralized.
A post mentioned that the top 10 deposit addresses provide 15.9% of the funds. If the whales withdraw their funds, it will accelerate the vicious cycle and cause a bank run.
Although no financial loss has occurred, reputational damage may have begun to appear.
Is Hyperliquid a DEX? If so, why was it so easy to delist tokens? Is governance power concentrated in the hands of a few?
These community questioning voices reflect DeFi users’ concerns about platform governance transparency and community participation, while also posing new challenges for Hyperliquid: how to balance the contradiction between decentralization and efficiency while maintaining the security of funds.
As a DeFi platform, Hyperliquid relies on community treasury and liquidation mechanisms, but it is vulnerable to the huge trading volume and market influence of CEX. CEX can quickly attract funds and influence prices by listing popular tokens, while DeFi platforms may fall into crisis due to insufficient liquidity and price manipulation.
The mantis stalks the cicada, unaware of the oriole behind
This is a complex game, and each participant has different motivations and tries to take the initiative in this price manipulation game.
Attackers: Profit-seeking price manipulators
The attackers goal is to profit through price manipulation. Aunt Ais post shows that the manipulated address holds 124 million $JELLYJELLY (worth $4.86 million), which may be a strategy of selling at a high price after a pull-up. They may imitate the previous 5 0x leveraged whale operation and take advantage of the price volatility of low-liquidity memecoin.
Hyperliquid: Protecting Users and Platforms
Hyperliquid strives to protect user funds and platform stability. A community post mentioned that the platform may adjust the leverage ratio of BTC and ETH (to reduce similar risks. In the future, it is necessary to increase margin requirements or improve liquidation mechanisms to protect HLP community funds.
CEX: Precision Strike in Competition
CEX’s quick response and online launch is not only a business decision, but may also hide competitive considerations.
By quickly launching the $JELLYJELLY perpetual contract, CEX attracted a large number of speculators to enter the market, pushing up the token price, while also indirectly exacerbating the risk of loss for Hyperliquids vault.
This precise market intervention, ostensibly in pursuit of profits, may in fact be a “precision strike” - by amplifying Hyperliquid’s liquidation crisis, it weakens its market competitiveness as a DeFi platform.
From the above motivations, we can see that the attackers are not completely in the upper hand. CEXs market strategy has taken advantage of the attackers behavior to a certain extent, further amplifying their market influence. The identities of hunters and prey constantly alternate in this multi-layered game, eventually forming a complex network of interests.
For Hyperliquid, this is both a crisis of financial security and a test of trust.
After all, this is not the first time. Previously, the 50x leveraged big brother also used the Hyperliquid mechanism to actively liquidate 160,000 ETH long positions and withdraw $1.857 million in profits...
We cannot predict whether this type of attack will happen again in the future, but what you can clearly see in this incident is:
There is still a gap between the ideal and reality of decentralization, and behind more efficient transactions lies a more bloody game.
