Recently, the address 0xf3f496c9486be5924a93d67e98298733bb47057c has long leveraged 50x on ETH on Hyperliquid, with a maximum floating profit of over $2 million. Due to the large position size and the transparent nature of DeFi, the entire crypto market has been watching the whale's moves. The general public believes that his next step will usually be to increase his position to continue to profit, or to close the position and take profits. Unexpectedly, he took a move that surprised everyone. He withdrew the margin to realize the profit, and the system will raise the liquidation price of the long position, ultimately triggering the liquidation of the whale, with a profit of $1.8 million.
What impact does this bring? Damage to the liquidity of HLP.
HLP is actively market-making by Hyperliquid, through market-making to charge capital fees and liquidation income, and all users can also provide liquidity for HLP.
Due to the high profits of the ETH whale, if he were to close the position normally, it would lead to insufficient counterparty liquidity. But he actively sought forced liquidation, and this amount was absorbed by HLP as a loss. In just one day on March 12, about $4 million in funds were reduced.
This attack means that Perp Dex is facing a severe challenge, and the liquidity pool mechanism must evolve. Taking this opportunity, let's have WOO X Research take a look at the mechanisms currently adopted by the mainstream Perp Dex (Hyperliquid, Jupiter Perp, GMX), and finally discuss how to prevent similar attacks!
Reference: https://app.hyperliquid.xyz/vaults/0xdfc24b077bc1425ad1dea75bcb6f8158e10df303
Hyperliquid
Liquidity provision: The community liquidity pool HLP (Hyperliquid Pool) provides the funds, and users can deposit USDC and other assets into the HLP Vault to become the platform's market-making liquidity. In addition, it allows users to create their own "Vault" to participate in market-making and profit sharing.
Market-making model: It adopts a high-performance on-chain order book matching, providing a centralized exchange-level experience. The HLP treasury acts as a market maker, placing orders on the order book to provide depth and process unmatched portions, reducing slippage. The price reference is based on external oracles to ensure that the quoted prices are close to the global market.
Liquidation mechanism: Triggered when the maintenance margin (usually starting at 20%) is insufficient. Any user with sufficient capital can participate in the liquidation and take over the positions that fail to maintain the margin. The HLP Vault also plays the role of a liquidation insurance pool, and if the liquidation causes a loss, it will be borne by the HLP (as in this attack).
Risk management: It uses multi-exchange price oracles, updated every 3 seconds, to prevent malicious market manipulation from a single market causing incorrect prices. To address the extreme situations caused by large whale positions, it has increased the minimum margin requirement for some positions to 20%, reducing the impact of large-scale forced liquidations on the pool. Anyone can participate in the liquidation to increase the decentralization, and there is a single Vault to centrally bear the risk. The downside is that as an emerging proprietary chain, it has not yet undergone long-term testing, and there have been past incidents of large-scale forced liquidation losses.
Funding rate and holding cost: The funding rate is calculated hourly for long and short positions to anchor the contract price close to the spot. If the long positions dominate, the longs pay the funding to the shorts (and vice versa) to prevent long-term price deviations. In situations where the platform's net position exceeds the HLP's tolerance, Hyperliquid will increase the margin requirement and possibly dynamically adjust the funding rate to reduce the risk. The holding cost is the funding fee, without additional overnight interest, but the high leverage increases the pressure of funding fee payments.
Jupiter
Liquidity provision: The multi-asset JLP (Jupiter Liquidity Pool) provides liquidity, including SOL, ETH, WBTC, USDC, USDT and other index assets. Users can mint JLP by exchanging assets, and JLP acts as the counterparty to bear the risks of leveraged trading.
Market-making model: It abandons the traditional order book and uses the innovative LP-to-Trader mechanism. Through oracle pricing, traders trade directly with the JLP liquidity pool, enjoying a near-zero slippage trading experience. Advanced features like limit orders can be set, but trades are essentially executed by the pool at oracle prices.
Liquidation mechanism: It is an automatic liquidation. When the position's margin ratio falls below the maintenance requirement (e.g. <6.25%), the smart contract automatically closes the position at the oracle price. The JLP liquidity pool, as the counterparty, absorbs the profit and loss of the position, and the remaining margin goes to the pool if the trader is liquidated.
Risk management: The oracle-based pricing keeps the contract price closely tracking the spot, preventing internal price manipulation. Solana's high TPS reduces the risk of liquidation delays, but the instability of the underlying network can affect trading and liquidation. To prevent malicious manipulation, the platform can set limits on the total position of a single asset (e.g. limit the maximum leverage position), and the borrowing fee increases with the asset utilization rate, increasing the cost of long-term one-sided positions and curbing extreme biases. So far, traders have generally been in a net loss, while the JLP capital has been growing relatively steadily.
Funding rate and holding cost: No traditional funding rate, Jupiter Perp does not use the long-short mutual funding fee, as the counterparty is the liquidity pool rather than long-short pairing. Instead, there is a borrow fee (Borrow Fee) that accrues hourly interest based on the proportion of the borrowed asset in the pool, and is deducted from the margin. Therefore, the longer the holding period or the higher the asset utilization rate, the more accumulated interest, and the liquidation price will gradually approach the market price over time. This mechanism serves as a cost constraint on long-term one-sided positions, avoiding the long-term imbalance of funding fees.
GMX
Liquidity provision: The multi-asset index pool GLP (GMX Liquidity Pool) provides liquidity, including BTC, ETH, USDC, DAI and other assets. Users deposit assets to mint GLP, and GLP becomes the counterparty for all trades, bearing the profit and loss.
Market-making model: No traditional order book, pricing through oracles and the pool's assets automatically acting as the counterparty. GMX uses Chainlink decentralized oracles to obtain market prices and execute trades with "zero slippage". The GLP asset pool acts as a unified market maker, regulating the pool's assets through the fee impact mechanism to ensure liquidity depth.
Liquidation mechanism: Automatic liquidation, using Chainlink index prices to calculate the position value, and triggering liquidation when the margin ratio falls below the maintenance level (around 1.25x initial margin). During liquidation, the contract automatically closes the position, with the user's margin first used to pay the pool's losses, and the remainder (if any) returned or included in the insurance.
Risk management: Using authoritative multi-source oracles to reduce the risk of wash trading manipulation, avoiding erroneous forced liquidations due to abnormal fluctuations in a single trading pair. There have been cases of traders using GMX's zero-slippage mechanism to manipulate prices by linking external markets, and the team has since set maximum position limits on assets like AVAX that are more susceptible to manipulation. Through such position limits and dynamic fee rate mechanisms (the higher the asset utilization rate, the higher the holding interest), leverage risks are limited, and 70% of trading fees are rewarded to the GLP to increase the LP's motivation to withstand losses.
Funding rate and holding cost: GMX V1 does not have the long-short mutual funding fee; instead, there is a borrowing fee (0.01% per hour based on the proportion of the borrowed asset). This fee is paid directly to the GLP pool, meaning that regardless of long or short, position holders have to pay holding interest, which is included in the position's profit and loss. The higher the asset utilization rate, the higher the annualized borrowing fee (can exceed 50% annualized), economically penalizing long-term one-sided crowded positions.
In this model, the perpetual price is always close to the spot (zero slippage), without the traditional funding fee imbalance, but the pool needs to bear the profit and loss when the price fluctuates violently.
Hyperliquid vs. Jupiter vs. GMX - Comparison Table
Conclusion: The Inevitable Path of Decentralized Perpetual Exchanges
This attack exploited the decentralized nature of Perp Dex: transparency, and rules determined by code.
The overall attack strategy is: to profit through a large position, attacking the liquidity within the exchange.
If prevention is required in the future, it must be to reduce the user's opening position, which can be done by adjusting the leverage ratio and margin. They have also announced a reduction in the maximum leverage ratio for BTC and ETH, to 40x and 25x respectively, and will increase the ratio of required margin transfer by 20%, with the overall purpose of preventing users from opening large positions.
Following this approach, what else can Hyperliquid do? ADL automatic deleveraging.
When the risk reserve fund (HLP) is unable to bear the further losses caused by the liquidation of loss-making positions, the automatic deleveraging (ADL) mechanism will be triggered to limit the further loss of the risk reserve fund. The core principle is that the loss-making position will be hedged against the profit-making position or the high-leverage position (the "deleveraged position") in the opposite direction, and the two positions will be offset and closed simultaneously. Due to the triggering of the ADL mechanism, the profit-making position may be forcibly closed, thereby limiting its future profit potential, while avoiding the impact on the HLP fund level.
All of the above measures are actually limiting a single account. If someone wants to exploit the loopholes in the rules, they can actually open multiple accounts to carry out similar attacks. Of course, the project party can use the traceability of address association to ban the relevant accounts, preventing Sybil attacks (which is also one of the reasons why centralized exchanges need KYC). But this measure goes against the core idea of DeFi - allowing anyone to use decentralized finance without permission.
The best solution is still for the Perp Dex protocol itself to gradually mature the market, with liquidity gradually thickening, raising the cost for attackers until it becomes unprofitable, which is the necessary path for the development of the track.
