Hyperliquid's $10.63M Exploit Highlights DeFi Risk Oversight

Hyperliquid, a decentralized finance (DeFi) platform, has recently faced significant scrutiny following a $10.63 million exploit of its JELLY token. Experts have highlighted that this breach was not due to a traditional bug but rather a result of risk oversight, which could potentially expose other DeFi protocols to similar vulnerabilities.

Dr. Jan Philipp Fritsche, a managing director at blockchain audit company Oak Security, analyzed the exploit and identified the root cause as unpriced risk—a principle often overlooked by DeFi platforms. This principle is well-established in conventional finance but is frequently ignored in the DeFi space.

The exploit unfolded when an attacker manipulated the market by shorting JELLY by $5 million and then draining the margin. Hyperliquid was left with the exposure, and other users exploited this vulnerability through a group short squeeze. Fritsche explained that the attacker created massive counter positions in JELLY, wagering that one side would break and the other would be covered. Due to the lack of capped payouts and contained risk, the protocol absorbed the loss, allowing the attacker to make off with millions.

Fritsche referred to the attack as a “textbook example of unpriced vega risk,” emphasizing how protocols are prone to overlook implied volatility. Most decentralized exchanges lack proper means of risk pricing, leaving them exposed to such strategic attacks.

In the aftermath of the attack, backlash poured in from the industry. Bitget CEO Gracy Chen criticized Hyperliquid’s architecture as “immature, unethical, and unprofessional,” drawing parallels between it and the now-defunct FTX. While Hyperliquid has promised to reimburse affected users, its reputation has taken a major hit.

The JELLY exploit is part of a larger pattern in DeFi. In 2024 alone, exploits cost $308.7 million—more than the $192.9 million lost to rug pulls. Just days after the Hyperliquid attack, another DeFi protocol, SIR.trading, was drained of its entire $355,000 total value locked. This event serves as a reminder that as DeFi grows, so must its security maturity to prevent history from repeating itself.