An expert from Oak Security has explained what went wrong with the JELLY token exploit, which cost the Hyperliquid exchange $10.63 million.
Reactions are still mounting from an exploit that cost Hyperliquid (HYPE) exchange’s users $10.63 million in losses. The reactions seem to have one thing in common, which is calling out Hyperliquid for its practices.
Dr. Jan Philipp Fritsche, managing director at Oak Security, shared his analysis with crypto.news. According to Fritsche, the exploit wasn’t caused by a bug, but rather was a predictable failure, one that could pose a risk to other DeFi protocols as well.
The JELLY exploit appears to be the result of a coordinated market manipulation by several users. Specifically, one trader opened a $5 million short position on JELLY, only to remove their margin. Hyperliquid was left holding the position, after which other traders coordinated a short squeeze.
“The attacker opened massive opposing positions in JELLY, knowing that one side would collapse and the other would cash out. Because payouts weren’t capped and risk wasn’t isolated, the protocol ate the loss—and the attacker walked away with millions,“ Dr. Jan Philipp Fritsche, Oak Security
Fritsche described the exploit as a “textbook example of unpriced vega risk”, a concept from traditional finance that refers to the implied volatility of an asset. He emphasized that many DeFi protocols still fail to account for this crucial risk metric.
Hyperliquid under fire for JELLY exploit
This isn’t the first time industry figures have criticized Hyperliquid over the Jelly incident. Following the exploit, Bitget CEO Gracy Chen called the exchange’s practices “immature, unethical, and unprofessional,” warning that it could become FTX 2.0.
Although Hyperliquid has pledged to compensate users affected by the exploit, the damage to its reputation may already be done. More importantly, the exploit has drawn attention to broader vulnerabilities in the decentralized finance sector.
In 2024, DeFi exploits cost users $308.7 million in losses. That was more than rug pulls, which accounted for $192.9 million. Just days after the Jelly exploit, a DeFi protocol SIR.trading fell victim to another exploit, losing all of its total value locked of $355,000.
