Hyperliquid: The Price of Popularity and a Lesson for All

After a generous airdrop in November 2024, Hyperliquid's decentralized exchange (DEX) caught the industry's attention and took the lead in trading volume, ahead of Jupiter and dYdX. High transaction speeds, no KYC requirements, and ample liquidity have made the platform a favorable destination for cryptocurrencies.

High-risk positions worth nearly $8 million opened on DEX on March 26, 2025, jeopardized not only the stability of the venue, but also the safety of client funds in the Hyperliquidity Provider Vault (HLP). The actions of several large addresses appeared to be part of a coordinated attack involving price manipulation on third-party trading platforms.

ForkLog looked at the chronology of the incident with reactions from industry leaders, ”convenient” actions by competitors, and forced defensive measures by Hyperliquid's management that put the principles of decentralization into question.

The day of the attack

Hyperliquid uses HLP Treasury liquidity pools to hedge positions. When a user opens a position, the engine executes the corresponding hedging order. In case of liquidation, the system continuously and smoothly buys back the asset, creating a spiral effect.

Liquidations of short positions occur when prices rise sharply. Users can intentionally increase risk by minimizing their own marginal losses, shifting responsibility to the HLP custodian.

The design of Hyperliquid's passive market maker pooling mechanism allowed manipulation of the liquidation system, damaging HLP. At the time, there was about $290 million in the vault.

According to Hyperliquid's team, DEX came under attack on March 26 at around 12:50 a.m. (UTC) by manipulating the price of a low-liquidity token, JELLYJELLY. After identifying ”suspicious market activity,” the votes of six validators initiated a delisting of the asset's perpetual contracts.

The official report by Hyperliquid representatives roughly divides the incident into four phases. It details the transactions, addresses, and transaction hashes appearing on the day of the attack.

• phase 0 - ”market preparation”. The price of JELLYJELLY rose by 13% by 10:50 UTC, then returned to the initial level at 12:15. It was probably a test of market reaction and liquidity level before the main attack. Within 40 minutes there is a sharp 93% price drop - from $0.1287 to $0.00831 - to accelerate further liquidation of long positions and attack on HLP vaults;

• phase 1 - creating a delta-neutral position. At 12:53pm, the attackers opened large short positions in JELLYJELLY perpetual contracts from address 0xde95...c91. The shorted two transactions at ~$0.00950 for ~$4.08 million. Then, to offset losses from two other addresses, orders are given for long positions for $4.06 million. User 0x67fe...CA2 used a long on 201,877,470 JELLYJELLY at $0.009503. Address 0x20e8...808 received similar orders from address 0x20e8...808;

• phase 2 - launching the liquidation mechanism to send orders to HLP storages. At 13:03, the attackers submit a request to withdraw all available margin and partially close their short positions, intentionally triggering liquidation. The ~$254,189 short closes at $0.073978. That same minute, a short position of nearly 400 million JELLYJELLY ends up in the HLP vault, thanks to a speedy mechanism. Over the next two minutes, the attackers transfer 2,762,742.63 USDC into the Arbitrum network. As a result, Hyperliquid's redemption mechanism holds a short position opened at $0.011282;

• phase 3 - dump JELLYJELLY to damage Hyperliquid. Between 13:00 and 14:00, the attackers begin an aggressive dump of the JELLYJELLY token to drive Hyperliquid into huge unrealized losses on open shorts. In a coordinated effort involving both the platform itself and external exchanges, they drive the price up about 400% to $0.05. Due to the low liquidity of the token, buying up the asset on the spot of major exchanges caused a sharp jump in price. Since the settlement of perpetual Hyperliquid futures was based on an oracle linked to the spot value, the manipulation had an immediate impact on derivatives.

DEX specialists linked the previous ”suspicious” transactions between March 15 and March 25, calling them ”preparatory.” These experiments were aimed at refining the strategy and learning the mechanics of the exchange. Marked addresses entered and withdrew funds, tested liquidations with different amounts, managed positions using several types of orders.

As a result of the March 26 incident, Whale managed to withdraw about $6.2 million. Arkham experts noted that if the attackers managed to withdraw the ~$900,000 remaining at that time, they would still lose ~$4,000.

The exchange stopped trading, fixed the price at $0.0095, and even came out in the plus side at ~$700,000, promising to reimburse the victims.

The actions sparked a flurry of criticism on social media. Some Centralized Exchange Executives (CEX), backed by Influencers, accused the team of violating decentralization principles and being negligent.

Could CEX have done things differently?

According to DeFi Llama, as of April 8, 2025, the average daily trading volume of perpetual contracts across all venues was ~$20.3 billion. Hyperliquid accounted for more than half of that - roughly $13 billion.

According to CoinGecko, at the time of writing, Hyperliquid is the 13th largest open interest among derivatives exchanges at $2.7 billion, overtaking major players like Deribit, as well as divisions of well-known platforms Crypto.com, BingX, and KuCoin. This is the first time when a decentralized exchange so successfully competes with established centralized platforms.

Apart from USDC on the Arbitrum network, the platform accepts bitcoin as collateral. This makes Hyperliquid one of the few decentralized marketplaces that allows trading of ”digital gold” directly from a Web3 wallet.

On March 15, Hyperliquid's share of the open-ended futures market for the first cryptocurrency reached an all-time high, accounting for ~50% of Bybit's volume and 21% of Binance's.

According to Dune, the platform attracted more than 415,000 users and processed around 60 billion transactions.

According to experts at the affected DEX, centralized exchanges and their management played a significant role in the March 26 incident. After analyzing it, the experts concluded that the attack was most influenced by malicious users from the Bybit exchange. They named the main reasons:

• influence on oracle. Bybit's level of influence over the delivery mechanism of spot quotes had a disproportionate;
• role in the margin price calculation. The average value of Bybit contracts was directly used to calculate the mark price on Hyperliquid;
• liquidity. The deep order stack on Bybit allowed for large trades with minimal slippage;
• limited competition. The effect was amplified by the fact that large exchanges like Binance had not yet listed JELLYJELLY, leaving pricing largely determined by Bybit and smaller venues.

By spiking the token, the attackers corrupted oracle data, which was then used to calculate the margin price on Hyperliquid, triggering liquidations.

While the manipulation of JELLYJELLY's price was happening through Bybit, Binance and Bitget traffic, the management of these exchanges did not stay out of the situation.

Bitget CEO Gracie Cheng stated:

With a sharp rise in the price of the weakly liquid token, CEX held derivative asset listings after a trading halt on Hyperliquid. At 15:30 OKX exchange and then at 16:00 Binance Futures launched trading of JELLYJELLYUSDT perpetual contracts with 50x leverage.

About the opportune moment to beat the competitor, the former head of cryptocurrency exchange BitMEX Arthur Hayes made a veiled statement. He presented OKX CEO Star Xu and former Binance CEO Changpeng Zhao (CZ) as accomplices against the ”weak” Hyperliquid.

It's too early to draw conclusions

Hyperliquid's architecture is built with scalability in mind, with potential integration of the increasingly popular SVM and MoveVM into its ecosystem. L1 with its HyperBFT consensus mechanism acts as a base for potential DeFi applications and Layer 2 (L2) solutions running on it like HyperEVM.

With its technical capabilities, Hyperliquid offers more flexibility than CEX and represents serious competition for them.

In an interview with Wu Blockchain on March 31, a developer of the LSD protocol named Sean shared his opinion on the criticism of DEX.

He mentioned Binance's strategic plans to bring users back to the exchange using BNB Chain. He also suggested that CZ is trying to replicate the Solana scenario by aggressively promoting meme tokens.

The specialist noted that he does not fully understand why Influencers promote centralized exchanges and at the same time excessively criticize Hyperliquid. They use individual incidents as a reason to negatively evaluate the entire architecture.

Hyperliquid was originally set up as a market maker, so liquidity was prioritized over systemic risk management. After past incidents of excessive leverage, Hyperliquid lowered its borrowing limits for BTC and ETH.

Sean highlighted the disadvantages of DEX:

• Limited resources without access to open source. The closed nature raises concerns about possible manipulation by the team, such as those related to MEV; 
• Hyperliquid's blockchain browser provides a limited range of information (no detailed history of account interactions or asset balance data); 
• The use of a listing process via Dutch auction. This allowed the small-cap token to open an excessively large short position - more than its entire market value;
• the mechanics of passive market maker pools. If exploited, especially with low-liquidity projects, it can easily create losses for HLP users.

The bottom line

The JELLYJELLY incident is an important lesson for the entire crypto industry. The attack on DEX set a precedent, triggering alarming discussions in communities about the network of sleeper hackers on trading platforms and the rights of clients of decentralized exchanges. The situation forced programmers to rethink existing security systems.

In an attempt to take a leading position in the DeFi segment and offer users a complete decentralized ecosystem, Hyperliquid developers implemented new mechanisms. They used a passive market maker protocol, giving ownership and management of the HLP to users. But eventually they were forced to interfere with their own decentralization rules by shutting down JELLYJELLY trading. Management, in turn, allowed trading in low-liquidity tokens with high leverage, perhaps not paying enough attention to the manipulations that occurred in the first half of March;

CEX managers were operating within existing business models where free competition can create a toxic environment. Influencers picked up on the idea and did their job, adding oil to the fire, which at this stage Hyperliquid has managed to partially douse.