JELLYJELLY Exploit on Hyperliquid

‍

Three Hyperliquid accounts attacked perpetuals DEX, Hyperliquid, using a “self-liquidation” method similar to prior attacks in the same month from other accounts. In this attack, the first trader, 0xde9, takes a $4.1M short position on the Solana memecoin, JELLY, while two other accounts, 0x20e and 0x67f, take long positions of $2.15M and $1.9M respectively, to counter the short position.

‍

This coordinated "self-liquidation" strategy is a form of sophisticated market manipulation. By opening large, opposing positions, the attackers effectively control both sides of the trade, setting the stage to exploit the platform's liquidation engine rather than speculating on the asset's price.

As JELLY price rose, the short position was quickly liquidated, which was passed to the HyperLiquidity Provider (HLP) Vault for clearance. However, due to its size, the HLP vault could not clear the position, leading to mounting losses as JELLY continued to climb. This was further exacerbated by traders piling in on the long, expecting a squeeze upwards and an OKX listing of JELLY perpetual contracts shortly after.

‍

‍

The failure of the HLP vault to clear the position is a critical vulnerability. This vault acts as the platform's central counterparty and insurance fund. Its inability to manage the large liquidation threatened its solvency, creating a systemic risk for all users on the platform.

However, the Hyperliquid team stepped in, delisting the JELLY token from the platform, while closing all open positions at a price of $0.0095. The move closed the HLP short position for a $700K gain, while the attackers lost their profits. All in all, the attackers deposited a total of $7.17M into Hyperliquid and have withdrawn ~$6.26M, with $900K remaining on the two long accounts, leaving them with relatively small loss.

The team's decision to manually set a closing price is a highly controversial move for a decentralized exchange. While it neutralized the attack and prevented further HLP losses, it also overrode the platform's autonomous smart contracts, demonstrating a clear centralized point of control.

The team’s actions have drawn criticism on the centralization of the platform, while others have come to the team’s defence, expressing the necessity of such an action to save the HLP vault and the Hyperliquid platform. This incident highlights a core tension in the decentralized finance space. Platforms must balance the ideal of immutable, code-driven markets with the practical need to protect user funds and platform integrity from bad actors and unforeseen market events.