An expert from Oak Security has analyzed the recent exploit of the JELLY token, which resulted in a staggering loss of $10.63 million for the Hyperliquid exchange.
In the aftermath of the exploit, which drained funds from Hyperliquid (HYPE) users, a chorus of criticisms has emerged, targeting the exchange’s operational practices.
Dr. Jan Philipp Fritsche, managing director at Oak Security, stated that the exploit was not due to a bug but rather a foreseeable failure that poses risks to other DeFi protocols as well.
The JELLY token exploit involved coordinated market manipulation. A single trader opened a $5 million short position on JELLY and subsequently withdrew their margin, leaving Hyperliquid exposed. This paved the way for other traders to execute a short squeeze, amplifying the losses.
“The attacker opened massive opposing positions in JELLY, knowing that one side would collapse and the other would cash out. Because payouts weren’t capped and risk wasn’t isolated, the protocol absorbed the loss, allowing the attacker to profit immensely,” Dr. Jan Philipp Fritsche.
Fritsche referred to the exploit as a “textbook example of unpriced vega risk”, a crucial metric often overlooked in the DeFi space, highlighting the sector’s need for improved risk management practices.
Hyperliquid Faces Backlash Over JELLY Incident
Industry leaders have not shied away from criticizing Hyperliquid in light of the JELLY exploit. Bitget CEO Gracy Chen labeled the exchange’s operational standards as “immature, unethical, and unprofessional,” suggesting that it could lead to a scenario reminiscent of FTX’s downfall.
While Hyperliquid has vowed to compensate the affected users, the damage to its reputation may be irreversible. This incident has sparked a larger conversation about vulnerabilities across the decentralized finance landscape.
In 2024 alone, losses from DeFi exploits reached $308.7 million, surpassing the $192.9 million lost to rug pulls. Just days after the JELLY exploit, another DeFi protocol, SIR.trading, succumbed to an exploit, losing its entire total value locked of $355,000.
