The price of popularity—and a lesson for all: Hyperliquid

After a generous airdrop in November 2024, the decentralised exchange (DEX) Hyperliquid drew industry-wide attention and topped trading volumes, ahead of Jupiter and dYdX. High transaction throughput, no KYC requirements and ample liquidity made the platform a welcoming venue for crypto whales.

High-risk positions worth about $8m opened on the DEX on 26 March 2025 jeopardised not only the platform’s stability but also the safety of client funds in the Hyperliquidity Provider Vault (HLP). The actions of several large addresses formed part of a coordinated attack involving price manipulation on external trading venues.

ForkLog reviewed the incident’s timeline, reactions from industry leaders, rivals’ “convenient” moves and the defensive steps taken by Hyperliquid’s management—measures that have cast doubt on its decentralisation principles.

The day of the attack

Hyperliquid uses liquidity pools from the HLP treasury to hedge positions. When a user opens a position, the mechanism executes a corresponding hedging order. In the event of liquidation, the system continuously and smoothly buys back the asset, creating a spiral effect.

Liquidations of short positions occur when prices jump sharply. Users can intentionally increase risk, minimising their own margin losses while shifting the burden to the HLP vault.

The design of Hyperliquid’s passive market-maker pools enabled manipulation of the liquidation system, harming HLP. At the time, the vault held about $290m.

According to the Hyperliquid team, at around 12:50 (UTC) on March 26 the DEX was attacked through manipulation of a thinly traded token—JELLYJELLY. After detecting “suspicious market activity”, six validator votes initiated the delisting of perpetual contracts on the asset.

After evidence of suspicious market activity, the validator set convened and voted to delist JELLY perps.

All users apart from flagged addresses will be made whole from the Hyper Foundation. This will be done automatically in the coming days based on onchain data. There is no…

— Hyperliquid (@HyperliquidX) March 26, 2025

In an official report, Hyperliquid representatives split the incident into four phases, detailing trades, addresses and transaction hashes involved on the day of the attack.

A brief timeline:

• phase 0 — “market preparation”. The JELLYJELLY price rose by 13% by 10:50 UTC, then returned to its initial level by 12:15. This was likely a test of market reaction and liquidity before the main attack. Over the next 40 minutes, the price fell 93% — from $0.1287 to $0.00831 — to speed up subsequent long liquidations and the assault on HLP vaults;

• phase 1 — creation of a delta-neutral position. At 12:53, attackers opened large short positions in JELLYJELLY perpetuals from address 0xde95…c91: two transactions at about $0.00950 totalling roughly $4.08m. Then, to offset losses from two other addresses, they placed long orders totalling $4.06m. User 0x67fe…CA2 opened a long for 201,877,470 JELLYJELLY at $0.009503. Address 0x20e8…808 submitted similar orders;

• phase 2 — triggering the liquidation mechanism to route orders into HLP vaults. At 13:03, the attackers requested the withdrawal of all available margin and partially closed their shorts, deliberately provoking liquidation. A short of about $254,189 was closed at $0.073978. In the same minute, thanks to the high-speed mechanism, a short position of almost 400m JELLYJELLY ended up in the HLP vault. Over the next two minutes, the attackers transferred 2,762,742.63 USDC to the Arbitrum network. As a result, Hyperliquid’s settlement mechanism held a short opened at $0.011282;

• phase 3 — pumping JELLYJELLY to damage Hyperliquid. Between 13:00 and 14:00, the attackers aggressively pumped JELLYJELLY to saddle Hyperliquid with huge unrealised losses on the open shorts. Coordinating across the platform and external exchanges, they drove the price by roughly 400% to about $0.05. Owing to the token’s low liquidity, spot buying on large exchanges caused a sharp spike. Because pricing of perpetuals on Hyperliquid relied on an oracle tied to spot, the manipulation immediately affected derivatives.

Specialists at the DEX linked earlier “suspicious” transactions between March 15 and 25, calling them “preparatory”. These experiments aimed to refine the strategy and explore the exchange’s mechanics. The tagged addresses deposited and withdrew funds, tested liquidations with different amounts and managed positions using several order types.

As a result of the March 26 incident, a whale managed to withdraw about $6.2m. Arkham experts noted that even if the attackers had taken the then-remaining ~$900,000, they would still have lost roughly $4,000.

The exchange halted trading, fixed the price at $0.0095 and even ended up about $700,000 in the black, promising to reimburse affected users.

The moves sparked a barrage of criticism on social media. Some centralised-exchange (CEX) executives, backed by influencers, accused the team of violating decentralisation principles and of negligence.

Could CEXs have acted differently?

According to DeFi Llama, as of April 8 2025, the average daily volume of perpetuals across all venues was about $20.3bn. Over half — roughly $13bn — went through Hyperliquid.

Per CoinGecko, at the time of writing Hyperliquid ranks 13th by open interest among derivatives exchanges with $2.7bn. It outpaces big players like Deribit and the derivatives arms of Crypto.com, BingX and KuCoin. This is the first time a decentralised exchange has competed so successfully with established centralised venues.

Beyond USDC on Arbitrum, the platform accepts bitcoin as collateral. That makes Hyperliquid one of the few DEXs that let users trade the “digital gold” directly from a Web3 wallet.

On March 15, Hyperliquid’s share of BTC perpetuals hit an all-time high, amounting to roughly 50% of Bybit’s volumes and 21% of Binance’s.

According to Dune, the platform has attracted more than 415,000 users and processed around 60bn trades.

In the view of the affected DEX’s specialists, centralised exchanges and their leadership played a significant role in the March 26 incident. After analysis, they concluded that the greatest influence on the attack came from malicious users on Bybit. They cited the main reasons:

• influence on the oracle. Bybit’s impact on the delivery of spot quotes was disproportionately large;
• role in the margin-price calculation. The average price of contracts on Bybit was directly used to compute the mark price on Hyperliquid;
• liquidity. The deep order book on Bybit allowed large trades with minimal slippage;
• limited competition. The effect was amplified because large exchanges such as Binance had not yet listed JELLYJELLY, leaving price formation largely to Bybit and smaller venues.

By pumping the token, the attackers distorted oracle data used to compute the mark price on Hyperliquid, triggering liquidations.

While JELLYJELLY price manipulation ran through traffic on Bybit, Binance and Bitget, the leadership of these exchanges did not sit on their hands.

Bitget CEO Gracy Chen said:

“The way Hyperliquid handled the incident was immature, unethical and unprofessional, led to user losses and raised serious doubts about its commitment to principles. Although the platform positions itself as a cutting-edge DEX with an innovative approach, it operates more like an offshore CEX without KYC/AML that indulges flows of illicit funds and bad actors.”

As the price of a thin token surged, CEXs listed derivatives after Hyperliquid halted trading. At 15:30, OKX—and then at 16:00, Binance Futures—launched trading in JELLYJELLYUSDT perpetuals with 50x leverage.

On the timely chance to wound a rival, former BitMEX chief Arthur Hayes spoke obliquely. He cast OKX head Star Xu and former Binance CEO Changpeng Zhao (CZ) as accomplices against a “weak” Hyperliquid.

Some of you will appreciate the irony that CZ and Star are cooperating to gang up on @HyperliquidX . You gotta know ur crypto history to get the joke. There is nothing more that humans like than to support an underdog vs. a perceived unstoppable opponent. $HYPE for the win! pic.twitter.com/pSgYcB9NAK

— Arthur Hayes (@CryptoHayes) March 27, 2025

Too early to draw conclusions

Hyperliquid’s architecture is built for scale, with potential integration of the rising SVM and MoveVM into its ecosystem. Its L1 with the HyperBFT consensus serves as a base for potential DeFi applications and L2 solutions launched atop it, such as HyperEVM.

Thanks to its technical capabilities, Hyperliquid offers more flexibility than CEXs and presents serious competition to them.

In a 31 March interview with Wu Blockchain, a developer of an LSD protocol named Sean shared his views on the criticism aimed at the DEX.

He mentioned Binance’s strategic plans to bring users back to the exchange via BNB Chain. He also suggested that CZ is trying to recreate Solana’s playbook by aggressively pushing memecoins.

“Binance and OKX undoubtedly feel threatened by decentralised solutions and will work to minimise these risks. Such competition is expected and entirely justified,” the developer added.

He noted he does not fully understand why influencers promote centralised exchanges while excessively criticising Hyperliquid. They use isolated incidents as a pretext to disparage the entire architecture.

“Competition in the industry should neither be exaggerated nor turned toxic. Centralised exchanges have systemic problems of their own and should remain vigilant. Their core role is to earn fees from trading volumes, not to engage in dubious PR attacks via key opinion leaders against competitors,” Sean stressed.

Hyperliquid was originally created as a market maker, so liquidity took precedence over system-wide risk management. After past incidents involving excessive leverage, Hyperliquid lowered borrow limits for BTC and ETH.

Sean highlighted the DEX’s shortcomings:

• limited resources without access to open-source code. Its closed nature raises concerns about possible manipulation by the team, for example related to MEV;
• the Hyperliquid block explorer provides a limited range of information (no detailed account interaction history and no asset balance data);
• use of a listing process via a Dutch auction. This allowed a small-cap token to open an excessively large short position—larger than its entire market capitalisation;
• the mechanics of passive market-maker pools. If exploited—especially with low-liquidity projects—losses can be readily inflicted on HLP users.

Conclusion

The JELLYJELLY incident is an important lesson for the crypto industry. The attack on a DEX set a precedent, sparking worrying debates about a network of “sleeping” hackers across trading platforms and the rights of decentralised-exchange customers. The situation forced developers to revisit existing security systems.

In a bid to lead DeFi and offer users a coherent decentralised ecosystem, Hyperliquid’s developers introduced new mechanisms. They used a passive market-maker protocol, granting ownership and governance of HLP to users. Ultimately, however, they were forced to intervene in their own decentralisation rules by closing trading in JELLYJELLY. Management, for its part, allowed trading of low-liquidity tokens with high leverage, perhaps paying insufficient attention to the manipulations in the first half of March.

CEX managers acted within their business models, where free competition can turn toxic. Influencers picked up the theme, doing their job and fanning the flames—ones that, for now, Hyperliquid has partly extinguished.