Recently, the address 0xf3f496c9486be5924a93d67e98298733bb47057c has been long ETH on Hyperliquid with a leverage of 50, with a maximum floating profit of more than 2 million US dollars. Due to the large amount of the position and the transparent nature of DeFi, the entire crypto market is watching the movements of this whale. The public generally believes that his next move will usually be to increase the position to continue to increase profits, or to close the position to take profits. Unexpectedly, he made an unexpected move. He made profits by withdrawing the margin, and the system would increase the liquidation price of long orders. In the end, the whale triggered liquidation and made a profit of 1.8 million US dollars.
What impact does this operation have? It hurts the liquidity of HLP.
HLP is actively market-made by Hyperliquid, which charges funding fees and liquidation income through market making. All users can also provide liquidity for HLP.
Since the ETH whale made too much profit, a normal one-time liquidation would lead to insufficient liquidity on the counterparty side. However, he actively sought liquidation of the position, and the HLP absorbed the loss of that amount. In just one day on March 12, the funds were reduced by about US$4 million.
This attack means that Perp Dex is facing severe challenges and must evolve in its liquidity pool mechanism. Taking this opportunity, let WOO X Research take a look at the comparison of the mechanisms used by the current mainstream Perp Dex (Hyperliquid, Jupiter Perp, GMX), and finally discuss how to prevent similar attacks from happening!
Reference: https://app.hyperliquid.xyz/vaults/0xdfc24b077bc1425ad1dea75bcb6f8158e10df303
Hyperliquid
Liquidity provision: Funds are provided by the community liquidity pool HLP (Hyperliquid Pool). Users can deposit USDC and other assets into the HLP Vault to become the platform's market-making liquidity. In addition, users are allowed to build their own "Vault" to participate in market-making profit sharing
Market making mode: Adopt high-performance on-chain Order Book matching to provide centralized exchange-level experience. HLP Treasury acts as a market maker, placing orders on the order book to provide depth and handle unmatched parts to reduce slippage. The price references external oracles to ensure that the order price is close to the global market.
Liquidation mechanism: Liquidation is triggered when the minimum maintenance margin (usually 20% or more) is insufficient. Any user with sufficient capital can participate in liquidation and take over positions that do not reach the maintenance margin. HLP Vault also plays the role of a liquidation vault. If liquidation causes losses, HLP will bear the losses (such as this attack)
Risk Management: Use multi-exchange price oracles, updated every 3 seconds, to prevent malicious pull-ups in a single market from causing incorrect prices. In response to extreme situations caused by whale positions, the minimum margin for some positions has been increased to 20% to reduce the impact of large forced liquidations on the pool. Anyone can participate in liquidation to increase decentralization, and a single Vault is set up to centrally bear risks. The disadvantage is that as an emerging proprietary chain, it has not yet undergone long-term testing, and there has been a risk of huge forced liquidation losses in the past.
Funding rate and position cost: The long and short funding rates are calculated every hour to anchor the contract price close to the spot price. If the long position is more dominant than the short position, the long position will pay the funding fee to the short position (and vice versa) to prevent long-term price deviation. In the case where the platform's net position exceeds the HLP tolerance range, Hyperliquid reduces the risk by increasing margin requirements and possibly dynamically adjusting the funding rate. The position cost is that in addition to the funding fee, there is no additional interest for holding the position overnight, but high leverage increases the pressure of funding fee expenditure.
Jupiter
Liquidity provision: Liquidity is provided by the multi-asset JLP (Jupiter Liquidity Pool), which includes index assets such as SOL, ETH, WBTC, USDC, and USDT. Users mint JLP by exchanging assets, and JLP bears the leveraged trading risk as a counterparty.
Market making model: abandon the traditional order book and use the innovative LP-to-Trader mechanism. Through oracle pricing, traders can trade directly with the JLP liquidity pool and enjoy a transaction experience close to zero slippage. Advanced functions such as limit orders can be set, but in essence, all transactions are filled by the pool according to the oracle price.
Liquidation mechanism: It is automatic liquidation. When the position margin rate falls below the maintenance requirement (e.g. <6.25%), the smart contract automatically closes the position according to the oracle price. The JLP liquidity pool acts as the counterparty to absorb the profit and loss of the position. If the trader's position is liquidated, the remaining margin belongs to the pool. Users can increase or decrease collateral during the position to adjust the liquidation price, but excessive collateral withdrawal will make the liquidation price close to the current price and more prone to liquidation.
Risk management: Through the oracle, the contract price is kept close to the spot price to avoid internal price manipulation. Solana chain's high TPS reduces the risk of liquidation lag, but if the underlying network is unstable, it will affect transactions and liquidation. To prevent malicious manipulation, the platform can set limits on the total position of a single asset (for example, limiting the maximum leverage position amount). At the same time, the borrowing rate increases with the asset utilization rate, which increases the cost of long-term unilateral holdings and suppresses extreme bias. So far, traders are generally in a net loss, and JLP funds have grown relatively steadily.
Funding rate and position cost: There is no traditional funding rate. Jupiter Perp does not use long-short mutual payment of funding fees because the counterparty is a liquidity pool rather than a long-short pairing. Instead, it is replaced by a borrowing fee, which accumulates interest hourly based on the ratio of the borrowed assets to the pool and is deducted from the margin. Therefore, the longer the position is held or the higher the asset utilization rate, the more interest is accumulated, and the liquidation price will gradually approach the market price over time. This mechanism serves as a cost constraint for long-term unilateral positions to avoid long-term imbalance in funding fees.
GMX
Liquidity provision: Liquidity is provided by the multi-asset index pool GLP (GMX Liquidity Pool), which includes BTC, ETH, USDC, DAI and other assets. Users deposit assets to mint GLP, and GLP becomes the counterparty of all transactions and bears the transaction profits and losses.
Market making model: There is no traditional order book, and GMX automatically acts as a counterparty through oracle quotes and pool assets. GMX uses Chainlink decentralized oracle to obtain market prices and execute transactions with "zero slippage". The GLP asset pool is equivalent to a unified market maker, which adjusts the assets in the pool through the price impact fee mechanism to ensure liquidity depth.
Liquidation mechanism: Automatic liquidation, using Chainlink index price to calculate position value, when the margin ratio is lower than the maintenance level (such as about 1.25 times the initial margin), liquidation is triggered. When liquidated, the contract automatically closes the position, and the user's margin is first used to pay for the pool loss, and the remaining (if any) is returned or included in insurance. As the counterparty, the GLP asset pool will directly bear the loss or obtain the margin income of the liquidation.
Risk management: Use authoritative multi-source oracles to reduce the risk of manipulation and avoid abnormal fluctuations in a single trading pair that may lead to erroneous forced liquidation. Traders have used the GMX zero slippage mechanism to manipulate prices in the external market for arbitrage, and the team subsequently set a maximum opening limit for easily manipulated assets such as AVAX (such as a maximum position of $2 million). Through such position limits and dynamic rate mechanisms (the higher the asset utilization rate, the higher the position interest), leverage risks are limited, and 70% of the transaction fees are awarded to GLP to increase LP's motivation to tolerate losses.
Funding rate and position cost: GMX V1 does not have funding fees paid by long/short positions; instead, there is a borrowing fee (0.01% per hour based on the proportion of borrowed assets). This fee is paid directly to the GLP pool, which means that regardless of whether the position is long or short, the position holder must pay the interest on the position and include it in the position profit and loss. The higher the asset utilization rate, the higher the annualized rate of borrowing fees (which can exceed 50% annualized), which economically punishes long-term unilateral crowded positions.
In this mode, the perpetual price is always close to the spot price (zero slippage), and there is no funding imbalance in the traditional sense, but the pool needs to bear the gains and losses when the price changes drastically.
Hyperliquid vs. Jupiter vs. GMX Quick Comparison Chart
Conclusion: The only way to decentralized contract exchange
The attack took advantage of the decentralized nature of Perp Dex: transparency and rules determined by code.
The overall idea of the attack is to make profits through huge positions and attack the liquidity within the exchange.
If we want to take precautions in the future, we must reduce the amount of positions opened by users. We can start with the leverage ratio and margin. They also announced that they would reduce the maximum leverage ratio of BTC and ETH to 40 times and 25 times respectively, and increase the required margin transfer ratio by 20%. The overall purpose is to prevent users from opening huge positions.
If we follow this line of thought, what else can Hyperliquid do? ADL Automatic Liquidation.
When the risk reserve (HLP) cannot bear further losses caused by liquidating loss positions, the automatic position reduction (ADL) mechanism will be activated to limit further losses of the risk reserve. The core principle is that the loss position will be hedged with the profitable position or high leverage position in the opposite direction (i.e., the "reduced position"), and the two positions will offset each other and close at the same time. Due to the activation of the ADL mechanism, profitable positions may be forced to close, thereby limiting the future profit potential of the position and avoiding affecting the HLP treasury level.
All of the above measures are actually limited to a single account. If someone wants to exploit loopholes in the rules, they can actually open multiple accounts to carry out similar attacks. Of course, the project owner can use tracking address associations to ban related accounts to prevent witch attacks (this is also one of the reasons why centralized exchanges require KYC). However, this measure runs counter to the core idea of DeFi - allowing anyone to use decentralized finance without permission.
The best solution is to Perp Dex protocol itself. As the market matures, liquidity will gradually increase, and the attackers will pay the cost until it becomes unprofitable. The current predicament is the inevitable path for the development of the track.
