The recent JELLY token exploit has left Hyperliquid exchange’s users facing a staggering $10.63 million in losses. Reactions to this significant loss have been swift and intense, with many users accusing Hyperliquid of irresponsible protocols and practices.
Dr. Jan Philipp Fritsche, managing director at Oak Security, offered his analysis of the situation in a discussion with crypto.news. His insights revealed that the exploit was not the result of a bug, but a predictable failure. According to Dr. Fritsche, this failure could potentially pose a significant risk to other DeFi protocols.
The exploit was the result of a coordinated market manipulation by multiple users. One trader in particular opened a $5 million short position on JELLY, only to subsequently remove their margin. This left Hyperliquid in possession of the position, which led to other traders coordinating a short squeeze.
Dr. Fritsche explained, “The attacker opened massive opposing positions in JELLY, knowing that one side would collapse and the other would cash out. Because payouts weren’t capped and risk wasn’t isolated, the protocol ate the loss—and the attacker walked away with millions.”
He described this exploit as a “textbook example of unpriced vega risk”, a term originating from traditional finance referring to the implied volatility of an asset. He further emphasized that many DeFi protocols continue to overlook this crucial risk metric.
This incident isn’t the first time Hyperliquid has come under scrutiny for its handling of the JELLY token. In the aftermath of the exploit, Bitget CEO Gracy Chen criticized the exchange’s practices as “immature, unethical, and unprofessional,” even going as far as to suggest it could become the next FTX 2.0.
In response to the criticism and user losses, Hyperliquid has vowed to compensate those affected by the exploit. However, the reputational damage may be irreversible. More critically, this exploit has highlighted larger vulnerabilities within the decentralized finance sector.
According to data from Hacken, DeFi exploits led to user losses totaling $308.7 million in 2024 alone, surpassing rug pulls which accounted for $192.9 million. Only days after the JELLY exploit, another DeFi protocol, SIR.trading, fell victim to a similar exploit, losing its total value locked of $355,000.
This series of unfortunate incidents underscores the importance of rigorous security protocols and practices within the DeFi sector. As the sector continues to evolve and attract new users, these lessons serve as a sobering reminder of the risks inherent in decentralized finance and the need for vigilance and transparency.
