On the night of March 26, the vault of decentralized trading platform Hyperliquid faced a liquidation risk of up to $240 million due to price manipulation of the memecoin $JELLYJELLY.
Previously, whales with 50x leverage on Hyperliquid had actively blown up their long positions, putting the platform's vault at risk of losses.
(See "All 50x Leverage Whales on Hyperliquid Have Been Closed Out, 16,000 ETH Long Positions 'Actively Liquidated'")
Last night's attack not only exposed the vulnerability of DeFi/DEX platforms in high-leverage trading but also became more complex due to the "active assistance" of centralized exchanges (CEX) - more like a mantis stalking a cicada, with a sparrow waiting in the background:
The attacker aimed to profit from price manipulation, while CEX wanted to attract users and traffic by listing popular tokens, indirectly undermining the fund safety and reputation of competing DEX platforms.
If you are not familiar with Hyperliquid and this attack event, we have also collected summaries and analyses from various parties, attempting to reconstruct the full event, popularize the attack principles, and explore the motivations of each party.
Event Overview: From Short to Vault Crisis
First, you need to know what Hyperliquid is.
Hyperliquid is a decentralized trading platform based on its own Layer 1 blockchain, offering perpetual contract trading, aiming to combine the advantages of centralized and decentralized trading platforms.
Its vault HLP is a community-owned protocol vault responsible for market making and liquidation, allowing users to deposit and share profits and losses. According to Vaults | Hyperliquid Docs, HLP deposits have a 4-day lock-up period to support platform liquidity.
So, what were the steps of this attack on the HLP vault?
(Image source: Ai Yi's Twitter post)
· Opening a Short: According to Ai Yi's monitoring, the attacker opened a $4.08 million short position on $JELLYJELLY on Hyperliquid at a price of $0.0095, with a margin of 3.5 million USDC.
· Lowering Price to Trigger Liquidation: Another address cooperatively sold $JELLYJELLY in the spot market, lowering the spot price, making the short position show a floating profit. The attacker then withdrew 2.76 million USDC margin, triggering liquidation, with the vault taking over the position.
· Raising Price to Expand Losses: After liquidation, the attacker bought $JELLYJELLY in two dense waves at 21:01 and 21:45, raising the price. According to CoinGecko data, the price rose 230% in a short time, causing the vault's short position to suffer increasing floating losses.
· CEX Active Intervention: As long as JELLYJELLY continues to rise, the short position losses would further increase; at this point, Binance and OKX listed $JELLYJELLY perpetual contracts, attracting massive trading volume, further pushing up the price and exacerbating vault losses.
· Vault Facing Redemption Risk: As of March 27, 2025, the vault's floating loss reached $10.63 million, with TVL dropping by about $20 million, the latest TVL being $231 million (Hyperliquid dashboard). If $JELLYJELLY's price rises to $0.17, the vault might be liquidated, losing $240 million.
· Hyperliquid Delists JELLYJELLY, No Losses: Subsequently, Hyperliquid's vault liquidated 392 million JELLY tokens at $0.0095 (about $3.72 million), gaining $703,000 without any losses. Meanwhile, after discovering evidence of suspicious market activities, validators convened a meeting and voted to delist JELLY perpetual contracts, with all users to be fully compensated by the Hyper Foundation.
Price Manipulation and CEX "Assist" Effect
If it seems a bit confusing, let's understand the principles of short selling, spot trading cooperation, and CEX assistance.
Short selling is when investors borrow and sell assets, hoping to buy back at a lower price for profit.
For example: If $JELLYJELLY is priced at $0.10, the attacker borrows and sells 1 million tokens, receiving $10,000. If the price drops to $0.05, they buy back for $5,000, profiting $5,000. But if the price rises to $0.15, they must buy back for $15,000, losing $5,000.
Hyperliquid's Liquidation Mechanism
On Hyperliquid, positions are liquidated when traders' margins cannot cover potential losses. According to Liquidations | Hyperliquid Docs, liquidation uses a mark price (combining external CEX prices and Hyperliquid order book status) to ensure more robust liquidation. After liquidation, the HLP vault takes over the position and bears subsequent risks.
Let's look at the short selling and spot buying mentioned earlier:
· Attacker's Logic: Suppress Price -- Trigger Liquidation -- Create Losses
The attacker opened a $JELLYJELLY short position at $0.0095, simultaneously selling spot to lower the price, making the short position appear profitable.
This was easily achievable because the target was a meme coin $Jellyjelly with N times depth difference, making price manipulation much easier.
The attacker withdrew most of the margin (e.g., 2.76 million USDC), making the short position unsustainable, triggering the liquidation mechanism, forcing Hyperliquid's vault to take over the short position.
The key is that the attacker then bought $JELLYJELLY, raising the price to $0.16, forcing the vault to buy back $JELLYJELLY at a higher price to close the short position, expanding losses.
CEX Assist Principle
CEX listing $JELLYJELLY perpetual contracts had a clear "assist" effect.
CEX has a massive user base and trading volume. Listing $JELLYJELLY perpetual contracts attracted many speculators. This significantly pushed up $JELLYJELLY's price, further exacerbating vault short position losses.
You can also see the obvious intent of CEX intervention from the reply post below.
Subsequent Impact
Although Hyperliquid quickly delisted $JELLYJELLY perpetual contracts without actual vault losses, this incident exposed the vulnerability of DeFi platforms facing high-leverage trading and price manipulation.
More importantly, this event sparked widespread community questioning of Hyperliquid's liquidation mechanism and decision-making transparency. Users are concerned about the platform's ability to maintain fund safety in future similar events and questioned whether the platform truly achieves decentralized governance.
Some posts mentioned that the top 10 deposit addresses provide 15.9% of funds, and if whales withdraw, it could accelerate a vicious cycle, forming a "bank run".
Although no financial losses occurred, reputation damage may have already begun.
Is Hyperliquid truly a DEX? If so, why can it so easily delist tokens? Are governance powers concentrated in the hands of a few?
These community doubts reflect DeFi users' concerns about platform governance transparency and community participation, while also presenting new challenges for Hyperliquid: how to balance decentralization and efficiency while maintaining fund safety.
As a DeFi platform, Hyperliquid relies on community vaults and liquidation mechanisms, but appears vulnerable against CEX's massive trading volume and market influence. CEX can quickly attract funds and influence prices by listing popular tokens, while DeFi platforms may fall into crisis due to insufficient liquidity and price manipulation.
Mantis Stalking Cicada, Sparrow Waiting
This is a complex game where each participant harbors different motivations, trying to take the initiative in this price manipulation game.
Attackers: Profit-Driven Price Manipulators
The attackers' goal is to profit through price manipulation. Ai Yi's post shows that the manipulation address holds 1.24 million $JELLYJELLY (worth $4.86 million), possibly a strategy to sell at a high price after pumping. They may be imitating the previous 50x leverage whale operation, exploiting the price volatility of low-liquidity memecoins.
Hyperliquid: Protecting Users and Platform
Hyperliquid is striving to protect user funds and platform stability. Community posts suggest the platform may adjust BTC and ETH leverage multiples to reduce similar risks. In the future, they may need to increase margin requirements or improve liquidation mechanisms to protect HLP community funds.
CEX: "Precision Strike" in Competition
CEX's rapid response and listing actions are not just a business decision, but may also hide competitive considerations.
By quickly launching $JELLYJELLY perpetual contracts, CEX attracted a large number of speculators into the market, driving up the token price and indirectly increasing the risk of losses in Hyperliquid's vault.
This precise market intervention appears to be chasing profits, but may actually be a "precision strike" - amplifying Hyperliquid's liquidation crisis to weaken its market competitiveness as a DeFi platform.
From the above motives, it can be seen that the attackers are not entirely in an advantageous position, and CEX's market strategy to some extent exploited the attackers' actions, further amplifying its market influence. The identities of hunter and prey alternate in this multi-layered game, ultimately forming a complex network of interests.
For Hyperliquid, this is both a crisis of fund safety and a test of trust.
After all, this is not the first time - previously, the 50x leverage big brother also used Hyperliquid's mechanism to "actively liquidate 160,000 ETH long positions" and withdraw $1.857 million in profits...
We cannot predict whether such attacks will continue, but in this incident, you can clearly see that:
A gap still exists between the ideals and reality of decentralization, and more efficient trading hides even bloodier games.
