Author: @agintender Original link: https://x.com/agintender/status/1952339699881980202
Statement: This article is a reprint; readers can obtain more information through the original link. If the author has any objections to the reprint format, please contact us, and we will modify it according to the author's request. Reprinting is for information sharing only and does not constitute any investment advice, nor does it represent Wu's views and positions.
When the loyal messenger was weaponized—the mark price, this fair judge, became the fuse that ignited the chain liquidation storm of Hyperliquid.
In March 2025, a little-known token with a daily trading volume of less than $2 million—JELLY—triggered a multi-million dollar liquidation storm on Hyperliquid. Shockingly, the attacker neither tampered with the smart contract nor exploited traditional code vulnerabilities but turned the platform's most core security mechanism—the mark price—into a weapon.
This was not a hacking attack but a 'compliance attack' on the system rules. The attacker used the platform's publicly available calculation logic, algorithm processes, and risk control mechanisms to create a highly lethal 'no-code attack' on both the market and traders. The mark price, which should anchor 'neutrality and safety' in the market, transformed from a shield into a blade during this incident.
This article will analyze the systemic risks of the mark price mechanism in the perpetual contract market of altcoins from both theoretical and practical perspectives and conduct a detailed review of the Jelly-My-Jelly attack event. This event not only reveals the structural vulnerabilities of oracle design and the double-edged nature of innovative liquidity pools (HLP Vault) but also exposes the inherent asymmetry of current mainstream liquidation logic in protecting user funds during extreme market conditions.
Part One: The Core Paradox of Perpetual Contracts—The Leaning Liquidation Mechanism of False Security
1.1 Mark Price: A Leaning Liquidation Tendency from a Consensus Game Misunderstood as Safe To understand how the mark price became an attack entry point, one must first break down its structural logic. Although the calculation methods of various exchanges differ slightly, their core principles are highly consistent—centered around a three-value median mechanism built around the 'index price'.
The index price is the cornerstone of the mark price. It does not come from the derivatives exchange itself but is calculated through the weighted average of prices for that asset across multiple mainstream spot platforms (such as Binance, Coinbase, Kraken, etc.), aiming to provide a fair reference price across platforms and regions. A typical calculation method for the mark price is as follows:
Mark Price = Median (Price1, Price2, Last Traded Price)
Price1 = Index Price × (1 + Funding Rate Basis): Anchoring the contract price to the index price while considering market expectations.
Price2 = Index Price + Moving Average Basis: Used to smooth out short-term price anomalies.
Last Traded Price = Latest transaction price on the derivatives platform.
The introduction of the median was initially intended to filter out outliers and improve price stability. However, the safety of this design is entirely based on a key assumption: that the number of input data sources is sufficient, distributed reasonably, and possesses strong liquidity that is hard to manipulate in coordination.
However, in reality, the spot market for the vast majority of altcoins is extremely weak. Once an attacker can control the prices of several low-liquidity platforms, they can 'pollute' the index price, thereby injecting malicious data into the mark price through formulas. This type of attack can leverage minimal costs to trigger large-scale leveraged liquidations, causing a chain reaction.
In other words, the aggregation mechanism is intended to disperse risk, but in a market with sparse liquidity, it instead forms a centralized weakness that attackers can control. The more the derivatives platform emphasizes the transparency and predictability of its rules, the more attackers can 'programmatically exploit the rules' to construct a compliant destruction path.
1.2 The Liquidation Engine: The Shield and the Blade of the Platform
When market prices move rapidly in an unfavorable direction, the trader's margin will be eroded by unrealized losses. Once the remaining margin falls below the 'Maintenance Margin', the liquidation engine will be activated.
In these processes, the most critical trigger standard is the mark price, not the latest transaction price of the platform itself. This means that even if the current market transaction price has not yet reached your liquidation line, as long as that 'invisible' mark price is reached, liquidation will be triggered immediately.
It is worth being cautious of the 'forced liquidation' mechanism.
In many exchanges, to avoid the risk of liquidation, risk control systems often adopt conservative liquidation parameters. Once a forced liquidation is triggered, even if the liquidation price is better than the actual loss-zero price, the platform usually does not return this 'liquidation surplus', but rather injects it directly into the platform's insurance fund. This leads traders to have an illusion of 'having margin but being liquidated early', with their accounts going directly to zero.
This mechanism is especially common in low-liquidity assets. Platforms will set more conservative liquidation lines for their own risk hedging, making it easier for positions to be 'liquidated early' amidst price fluctuations. The logic is reasonable, but the result is a subtle misalignment of interests between the platform and traders during extreme market conditions.
The liquidation engine should be a neutral risk control tool, but in terms of profit attribution, parameter selection, and triggering logic, it has a tendency to profit the platform.
1.3 The Ineffectiveness of Mark Price Leads to Distortion of the Liquidation Engine
Under this platform's aversion to loss, the drastic fluctuations of index prices and mark prices further exacerbate this preemptive (post) liquidation of funds.
The theory of mark price provides a fair, anti-manipulation price benchmark through the aggregation of multi-source data and median algorithms. However, this theory may hold when applied to mainstream assets with abundant liquidity, but it faces severe challenges when confronting thinly traded altcoins concentrated in a few trading venues.
The Ineffectiveness of the Median: The Statistical Dilemma of Concentrated Data Sources
Effectiveness in Large Data Sets: Suppose a price index contains 10 independent, highly liquid data sources. If one of those data sources issues an extreme quote for any reason, the median algorithm can easily identify it as an outlier and ignore it, taking the middle value as the final price, thus maintaining the stability of the index.
Vulnerability in Small Data Sets: Now, let’s consider a typical altcoin scenario.
Tri-Source Scenario: If the index price of an altcoin only includes the spot prices from three exchanges (A, B, C). At this point, the median is the price that ranks in the middle of the three. If a malicious actor simultaneously manipulates the prices of two exchanges (for example, A and B), then regardless of how accurate C's price is, the median will be determined by the manipulated prices of A and B. At this point, the protective function of the median algorithm is almost zero.
Detailed Attack Path: Five Steps to Breach the Protocol Defense
For the vast majority of altcoins, their trading depth and the number of listed exchanges are very limited, which makes their price indices highly susceptible to the aforementioned 'small data set' traps. Therefore, the sense of security brought by the exchanges' claims of 'multi-source index' is often just an illusion in the world of altcoins. Many times, the latest transaction price is often equated with the mark price.
Part Two: The Oracle Dilemma: When Spot Liquidity Depletion Becomes a Weapon
The foundation of the mark price is the index price, and the source of the index price is the oracle. Whether CEX or DEX, the oracle plays the role of a bridge for information transmission between on-chain and off-chain. However, this bridge, although crucial, becomes extraordinarily fragile in times of liquidity scarcity.
2.1 Oracle: The Fragile Bridge Connecting On-chain and Off-chain
The blockchain system is essentially closed and deterministic; smart contracts cannot actively access off-chain data, such as market prices of assets. The price oracle (Oracle) came into being; it is a middleware system responsible for securely and reliably transmitting off-chain data to on-chain, providing 'real-world' information input for the operation of smart contracts.
In core DeFi infrastructures such as perpetual contract trading platforms or lending protocols, the price data provided by the oracle almost constitutes the cornerstone of their risk management logic. However, a commonly overlooked fact is: an 'honest' oracle does not mean it reports a 'reasonable' price. The oracle's responsibility is only to accurately record the external world status it can observe; it does not judge whether the price deviates from the fundamentals. This characteristic reveals two entirely different attack paths:
Oracle Exploit: The attacker alters the oracle data sources or protocol through technical means, causing it to report erroneous prices.
Market Manipulation: The attacker, by actually operating the external market, deliberately raises or lowers the price, while the normally functioning oracle accurately records and reports this 'manipulated' market price. The on-chain protocol was not hacked, yet it produced unintended reactions due to 'information poisoning'.
The latter is the essence of the Mango Markets and Jelly-My-Jelly incidents: it’s not that the oracle was hacked, but rather that its 'observation window' was polluted.
2.2 The Pivot of the Attack: When Liquidity Defects Become Weapons The core of such attacks lies in exploiting the liquidity disadvantages of target assets in the spot market. For assets with thin trading, even small orders can cause sharp price fluctuations, providing opportunities for manipulators.
The attack on Mango Markets in October 2022 can be described as a 'model'. The attacker, Avraham Eisenberg, took advantage of the extreme liquidity depletion of its governance token MNGO (with daily trading volume below $100,000), successfully pushing the MNGO price up by over 2300% in a very short time by concentrating about $4 million in buying across multiple exchanges. This 'abnormal price' was completely recorded by the oracle and fed to the on-chain protocol, causing its borrowing limit to skyrocket, ultimately 'legally' emptying the platform's entire assets (about $116 million).
Target Selection: Attackers first screen target tokens, usually meeting the following conditions: they have launched perpetual contracts on a mainstream derivatives platform; the oracle price comes from several known, low-liquidity spot exchanges; daily trading volume is low, and the order book is sparse, making it extremely easy to manipulate.
Capital Acquisition: Most attackers obtain temporary massive funds through 'flash loans'. This mechanism allows borrowing and repaying assets in a single transaction, without any collateral, significantly reducing the manipulation cost.
Spot Market Blitz: Attackers place large buy orders simultaneously across all exchanges monitored by the oracle in a very short time. These orders quickly clear sell orders, pushing the price to a high position—far deviating from its true value.
Oracle Contamination: The oracle faithfully reads prices from the manipulated exchanges mentioned above, and even with mechanisms such as median and weighted average to resist fluctuations, it is difficult to withstand simultaneous multi-source manipulation. The final index price becomes severely polluted.
Mark Price Infection: The contaminated index price enters the derivatives platform, affecting the calculation of the mark price. The liquidation engine misjudges the risk range, triggering large-scale 'liquidations', leading to heavy losses for traders, while attackers can achieve arbitrage through reverse positions or lending operations.
The attacker's 'battle manual': the double-edged sword of transparency
Whether CEX or DEX protocols often take 'open-source transparency' as a virtue, publicly disclosing their oracle mechanisms, data source weights, price refresh frequencies, etc., aiming to build user trust. However, for attackers, this information becomes the 'manual' for developing attack plans.
Taking Hyperliquid as an example, its oracle architecture publicly lists all data source exchanges and their weights. Attackers can accurately calculate how much capital to invest in each of the least liquid exchanges to maximize the distortion of the final weighted index. This kind of 'algorithm engineering' makes the attack controllable, predictable, and minimizes costs.
Mathematics is simple, but people are complex.
Part Three: The Hunting Ground—Structural Risk Analysis of Hyperliquid
After understanding the attack principles, the 'attacker' then needs to choose a suitable 'battlefield' for implementation—Hyperliquid. Although manipulating the oracle is a common attack method, the reason the 'Jelly-My-Jelly' incident could occur on Hyperliquid and cause serious consequences lies fundamentally in the platform's unique liquidity structure and liquidation mechanism. These designs, aimed at enhancing user experience and capital efficiency, while innovative, inadvertently provided attackers with an ideal 'hunting ground'.
3.1 HLP Vault: Democratized Market Makers and Liquidation Counterparties
One of Hyperliquid's core innovations is its HLP Vault—a fund pool managed uniformly by the protocol, bearing dual functions. (Detailed HLP introduction: https://x.com/agintender/status/1940261212954173716 )
First, HLP acts as the platform's active market maker. It allows community users to deposit USDC into the vault, participate in the platform's automated market-making strategies, and share profits (or losses) proportionally. This 'democratized' market-making mechanism enables HLP to continuously provide buy and sell orders for numerous illiquid altcoins. Because of this, even tokens like JELLY, with a smaller market cap and extremely low liquidity, can support multi-million dollar leveraged positions on Hyperliquid—something that traditional exchanges find difficult to achieve. (In simpler terms, it means positions can be established.)
However, this design not only attracts speculators but also more dangerous entities: attackers who deliberately manipulate the market.
More critically, HLP also serves as the platform's 'liquidation stop-loss backup', the final liquidation counterpart. When leveraged positions are forcibly liquidated, and there are not enough liquidators in the market willing to take over, the protocol will automatically transfer these high-risk positions to the HLP vault, paying the oracle price in full.
The consequence of this mechanism is that HLP becomes an entity that can be deterministically exploited, with no autonomous judgment ability. When deploying strategies, attackers can fully predict who will take over their 'toxic position' once liquidation is triggered—it's not a random and unpredictable counterparty in the market, but rather an automated system that executes smart contract logic and acts 100% according to the rules: HLP vault.
3.2 Structural Defects of the Liquidation Mechanism
The Jelly-My-Jelly incident exposed a fatal flaw in Hyperliquid under extreme market conditions, rooted in the internal funding structure and liquidation model of the HLP vault.
When the attack occurred, there was no strict isolation mechanism between the 'liquidation reserve pool' responsible for handling liquidated positions and other fund pools executing market making strategies. They shared the same collateral. When the attacker’s $4 million short position was liquidated due to the spike in the mark price, this position was fully transferred to the liquidation reserve pool. As the price of JELLY continued to rise, the losses of this position continued to expand.
The attacker only needs to trigger liquidation (actively reduce margin) to seamlessly pass their losing position to the system’s counterparties—HLP Vault. The attacker knows well: the protocol rules will force HLP to take over at the most disadvantageous price moment, becoming their 'unconditional buyer'.
In theory, when the position's losses become large enough to threaten the stability of the platform's system, the automatic liquidation ADL mechanism should trigger, forcing users in the opposite profit direction to reduce their positions to share the risk. But this time, the ADL did not start.
The reason is: although the liquidation reserve pool itself had already incurred deep losses, since it could call upon the collateral assets of other strategy pools in the entire HLP vault, the system determined that the 'overall health' of the entire HLP vault was still good, thus failing to trigger the risk control mechanism. This shared collateral mechanism inadvertently bypassed the ADL systemic risk defense line, causing losses that should have been borne by the market as a whole to ultimately concentrate and explode within the HLP vault.
Part Four: Case Analysis—A Complete Review of the Jelly-My-Jelly Attack
On March 26, 2025, a meticulously planned attack took place on Hyperliquid, targeting Jelly-My-Jelly (JELLY). This attack cleverly combined liquidity manipulation, a deep understanding of oracle mechanisms, and the exploitation of structural weaknesses in the platform, becoming a classic case for deconstructing modern DeFi attack patterns.
4.1 Phase One: Layout—A $4 Million Short Trap
This attack was not an impulse. On-chain data shows that the attacker had spent ten days prior conducting a series of small-scale trades to test the strategy, clearly preparing for the final action.
On March 26, when JELLY's spot price oscillated around $0.0095, the attacker began to implement the first phase. Multiple wallet addresses participated, among which address 0xde96 was a key executor. The attacker quietly built a short position worth about $4 million in the JELLY perpetual contract market through self-trading (acting simultaneously as a buyer and seller), supported by a total of $3 million in long positions through matching trades. The purpose of these matching trades was to maximize the open interest of the contracts while avoiding triggering abnormal market fluctuations, thereby laying the groundwork for subsequent price manipulation and liquidation inducement.
4.2 Phase Two: Raid—The Lightning War in the Spot Market
After the layout was completed, the attack entered the second phase: rapidly raising the spot price. JELLY was the target the manipulators dreamed of. Its total market capitalization was only about $15 million, and its order book on mainstream exchanges was extremely weak. According to Kaiko Research data, its 1% market depth was only $72,000, far below that of other similar tokens.
The attacker took advantage of this point by simultaneously initiating a buying spree on multiple centralized and decentralized exchanges. Due to the lack of selling support, the spot price of JELLY was rapidly pushed up within a short time. Starting from $0.008, the price skyrocketed by over 500% in less than an hour, reaching a peak of $0.0517. Meanwhile, trading volume also exploded. On the same day, the trading volume of JELLY on just one exchange, Bybit, exceeded $150 million, setting a historical record.
4.3 Phase Three: Detonation—Oracle Pollution and Liquidation Waterfall
The violent rise in spot prices quickly transmitted to Hyperliquid's mark price system. Hyperliquid's oracle mechanism uses a multi-source weighted median algorithm, integrating spot data from multiple exchanges such as Binance, OKX, and Bybit. Due to the attackers acting simultaneously at these key sources, the aggregated index price was effectively polluted, driving the internal mark price of the platform to rise in sync.
The spike in the mark price directly detonated the previously deployed short position of the attacker. As losses expanded, the $4 million position triggered forced liquidation. At this moment, it was not a failure of the attack, but rather the core link of the attack design.
Since the HLP vault acts as the platform's liquidation counterparty, and according to the smart contract logic unconditionally takes over, while the liquidation system failed to trigger the ADL (automatic liquidation) mechanism to distribute risk, the entire high-risk position was directly pushed onto HLP. In other words, the attacker successfully transferred their liquidation losses to the socialized system, making the liquidity providers of HLP bear the cost of their manipulative actions.
4.4 Phase Four: Aftermath—Emergency Delisting and Market Reflection
As Hyperliquid fell into chaos, the external market also reacted complexly. Within an hour of JELLY being manipulated to a high position, Binance and OKX almost simultaneously launched JELLY's perpetual contract. The market generally interpreted this action as 'taking advantage of the fire' against the competing Hyperliquid, further exacerbating JELLY's market volatility and indirectly expanding the potential losses of the HLP vault.
Faced with immense pressure from the market and the community, Hyperliquid validator nodes urgently voted through multiple countermeasures: immediately and permanently delist the JELLY perpetual contract; fund from the foundation to fully compensate all affected users from non-attack addresses.
According to Lookonchain data, at the peak of the attack, the unrealized loss of the HLP vault reached as high as $12 million. Although Hyperliquid officially reported that total losses were controlled within $700,000 within 24 hours, the impact of the entire event on the platform's structure and risk control system is undoubtedly profound.
Progress of the JELLY Incident
Conclusion—The 'Mark Illusion' of Perpetual Contracts and Defensive Propositions
The attacker in the Jelly-My-Jelly incident did not rely on complex contract vulnerabilities or cryptographic methods; they simply saw through and exploited the structural flaws in the mathematics of the mark price generation mechanism—small data sources, median aggregation, fragmented liquidity, and additionally operated within the market's liquidation mechanism. This type of attack does not require sophisticated hacking techniques, only reasonable market operations and a profound understanding of the protocol logic.
The fundamental problem of mark price manipulation is:
The high correlation of oracle data: seemingly 'multi-source' price inputs actually come from several exchanges with severely overlapping liquidity. Once a few key exchanges are compromised, the entire price index becomes meaningless.
The tolerance of aggregation algorithms for outliers: the median is effective in large samples but nearly powerless in small samples; when the input sources are themselves 'bought out', no matter how sophisticated the algorithm, it cannot save the situation.
The 'blind trust' problem of liquidation systems: almost all CEX and DeFi platforms assume that the mark price is fair, thus using it as a liquidation trigger. However, in reality, this trust is often built on a foundation of polluted data.
Establishing true 'anti-manipulation' between algorithms and games
The mark price should not be a value that is 'mathematically correct but strategically fragile', but should be a product of a mechanism that can maintain stability under real market pressure. The ideal of DeFi is to build trust through code, but code is not perfect; it can also solidify biases, amplify inherent defects, and even become a weapon in the hands of attackers.
The Jelly-My-Jelly incident was not accidental and will not be the last. It serves as a warning: without a deep understanding of the game structure, any 'certain' liquidation mechanism is a potential arbitrage entry. The maturation of mechanisms requires not only faster matching speeds and higher capital efficiency but also a self-reflection capability at the mechanism design level to identify and close these systemic risks obscured by 'mathematical aesthetics'.
May we always maintain a heart of reverence for the market.
Mathematics is simple; people are complex.
Only historical games are repetitive.
To know what is happening, and also to know why it is happening.
