Hyperliquid was attacked and its network was disconnected; Polymarket was attacked by governance and its governance was inactive.

Author: Techub Hot News

Written by: Glendon, Techub News

Following the Hyperliquid liquidation incident caused by the "Hyperliquid 50x leveraged whale" on March 12, Hyperliquid once again encountered a "lightning attack" targeting its liquidity and governance model on the evening of March 26.

A trading team copied the operation of "Hyperliquid 50x leverage whale" to withdraw margin, trying to force Hyperliquid's HLP vault to take over the huge loss position. The difference is that this trading team did not choose Bitcoin and Ethereum, but set its sights on the Meme coin JELLYJELLY, which has low liquidity and is easy to manipulate. Although this aboveboard market manipulation did not succeed completely due to the emergency intervention of the exchange, it once again exposed Hyperliquid's multiple loopholes in governance centralization, liquidity management, and market manipulation defense.

Just one day before this incident, the cryptocurrency prediction market Polymarket was also controversial due to the centralization issues presented in a "big player governance attack" incident. As the important topic of "decentralization" has once again sparked heated discussions, as industry participants, how should we view the phenomenon that decentralized trading platforms are not "decentralized" enough? First, let's understand the causes and consequences of these two incidents.

Hyperliquid was "attacked" and "pulled the plug" at a critical moment

In hindsight, this carefully planned "open card sniping" was not complicated. On March 26, the trading team first opened a short order of 430 million JELLYJELLY on Hyperliquid through an address starting with 0xde9 with a margin of 3.5 million USDC, which was worth about 4.08 million US dollars at the time, and the opening price was 0.0095 US dollars.

Subsequently, the team began to buy a large number of JELLYJELLY tokens to push up the spot price, and withdrew the $2.76 million margin after closing 30 million JELLYJELLY short orders at $0.0103. In this way, the team successfully dumped 398 million JELLYJELLY short orders to Hyperliquid, triggering the automatic liquidation mechanism, which forced the HLP vault to take over. With this operation, the floating loss of the HLP vault once exceeded $13 million.

The reason why this incident was carefully planned and premeditated is that according to the cryptocurrency KOL "pepper Huajiao (Jiepan)", as early as March 24, someone claiming to be the "jellyjelly project party" contacted him to help promote the listing of JELLYJELLY on Binance. Unexpectedly but also reasonable, not long after that night, OKX and Binance successively launched JELLYJELLY perpetual contract trading pairs. Affected by this, the price of JELLYJELLY rose rapidly, from $0.0095 when it opened to more than $0.066.

According to Aunt Ai’s monitoring, if the counterparty had raised the price of JELLYJELLY to around $0.17, the HLP Treasury would have faced liquidation and lost the $240 million it held. And what’s worse is that as the price of JELLYJELLY continued to rise, the funds in the HLP Treasury continued to flow out.

At the critical moment when the price of the coin was approaching the liquidation line, Hyperliquid took action. However, the exciting game that people imagined did not happen. Hyperliquid directly suspended the price update of JELLYJELLY by "pulling the network cable" and forcibly delisted the token. Subsequently, Hyperliquid forcibly settled the short order at the initial opening price of US$0.0095, while the spot price of JELLYJELLY was about US$0.05 at that time.

Hyperliquid tweeted an explanation: "After finding evidence of suspicious market activity, the validator group held a meeting and voted to delist the JELLY contract. All users, except for the addresses marked as violating, will receive full compensation from the Hyper Foundation. This will be done automatically based on on-chain data in the next few days. No invoice is required. The specific method will be shared in detail in a subsequent announcement. Please note that as of the time of writing, HLP's 24-hour profit and loss is approximately 700,000 USDC. We will make technical improvements and learn from experience to make the network stronger."

After that, Hyperliquid seemed to have successfully resolved the liquidation crisis, while the price of JELLYJELLY fell sharply. GeckoTerminal market showed that as of the time of writing, JELLYJELLY had fallen to $0.0197. So, has Hyperliquid really survived the crisis and is safe?

Perhaps the subsequent impact of this incident will continue to haunt Hyperliquid for a long time.

First, for Hyperliquid, the most direct change was that users withdrew funds due to panic, exacerbating liquidity pressure, causing the platform to have a net outflow of USDC of $140 million within hours of the incident, and the TVL dropped from $2.5 billion to $2.07 billion in the past 30 days. Secondly, this incident also revealed many problems of Hyperliquid, such as liquidity design defects, reliance on vaults as counterparties, and insufficient risk control for high leverage. Although the giant whale liquidation incident has exposed similar vulnerabilities, Hyperliquid's improvement measures have failed to effectively prevent secondary attacks.

The most far-reaching impact is the collapse of Hyperliquid’s decentralized narrative. Hyperliquid’s emergency delisting of tokens and forced settlement regardless of the actual market price avoided huge losses for the treasury and users, but also caused users to question its decentralization and fairness of rules.

In particular, the Hyperliquid validator committee is completely controlled by the official foundation. The seemingly decentralized voting decision-making actually lacks community participation. According to Spreek’s tweet, the voting validators in this incident of Hyperliquid are all from the Hyper Foundation. This move also highlights the centralized nature of Hyperliquid’s governance, and even caused it to be called a “CEX in the guise of a DEX” by the community.

In addition, retail investors are undoubtedly the biggest victims in this incident. According to Coinglass data, as of the time of writing, the liquidation amount of JELLYJELLY in the past 24 hours has reached about 16.94 million US dollars. They followed the trend to buy or go long on JELLYJELLY, but as the price of the latter plummeted from $0.066 to $0.02 like a roller coaster, many retail investors suffered heavy losses after taking over at high prices. This may further shake the trust of retail investors in decentralized platforms.

So, did the trading teams that manipulated the market and Binance and OKX that "added fuel to the flames" win?

Probably not, in fact this may be a game with no winners.

The trading team operated short orders and pulled the price through multiple accounts, trying to force Hyperliquid's vault to go bankrupt. However, Hyperliquid removed the tokens and forced liquidation, causing the price of JELLYJELLY to fluctuate violently. The long orders and spot orders opened by the trading team may suffer losses, and as violators, they were excluded from the compensation list by Hyperliquid, and ultimately they may not be able to achieve their expected returns.

As for Binance and OKX, their reputations were more damaged. They quickly launched the JELLYJELLY contract during the Hyperliquid crisis, pushing up the price of the currency. They were accused by the community of "adding insult to injury" by attacking their opponents and competing for traffic. In addition to arousing users' disgust, many users also doubted the rigor of Binance and OKX in screening listed projects.

Polymarket was attacked by governance for "inaction". How should we view the dilemma and new life of decentralized governance?

On March 25, before the Hyperliquid incident, a serious oracle manipulation attack also occurred on Polymarket.

When the prediction market was about to settle, a user who held a large number of UMA tokens manipulated the oracle voting mechanism to tamper with the settlement results in order to reverse the loss. In the end, the big user and the users who should have lost the bet shared all the funds in the prize pool. Although Polymarket has experienced many small-scale market manipulations before, it quickly attracted widespread attention because the bets in the prediction market prize pool exceeded 7 million US dollars.

The prediction market question involved in this incident was: "Will Ukraine agree to sign a mineral agreement with Trump before April?"

According to the actual situation, as of the time of market settlement, Trump only verbally stated that the agreement would be signed "soon", and there was no official statement confirming that Ukraine and the United States had officially signed the agreement. However, Polymarket ignored the facts and ruled the result as "YES".

So how do big investors do this? The answer lies in Polymarket’s judgment and voting mechanisms.

Polymarket relies on UMA's decentralized oracle to verify the results, and the voting rights are controlled by UMA token holders. However, since UMA tokens are highly concentrated in the hands of a few "whales", the seemingly decentralized UMA is actually easily influenced by capital. On the other hand, Polymarket's voting rules have further exacerbated this centralized tendency: it usually takes a deposit of up to $750 to raise an objection, but if the voting result is wrong, the objector will lose the deposit; and even if the result is correct, the reward they can get is not much, which causes ordinary users to be afraid of losses and dare not easily raise objections. However, large holders who hold a large amount of UMA can easily pay the deposit and dominate the voting direction.

In this incident, this big investor cast approximately 5.08 million UMA tokens (approximately 25% of the total votes) through three accounts before the market was about to settle, which ultimately led to a reversal of the ruling.

This incident directly exposed the capital control risks hidden in the decentralized mechanism of Polymarket. However, unlike the "power centralization" controversy surrounding the Hyper Foundation, Polymarket highlights more "capital centralization". As many users have questioned, when these big players can "turn right and wrong" with their token holdings, how can ordinary participants trust the fairness of this market?

Crypto KOL "MARMOT" even tweeted to condemn that Polymarket has deceived users again. If Polymarket does not take any action, he will never use this website again and advises other users not to use it.

Interestingly, in the face of community and user accusations and protests, Polymarket officials admitted after the incident that the ruling was inconsistent with user expectations and reality, but refused to refund the affected users on the grounds of "non-system failure" and only promised to strengthen system monitoring and improve rules with the UMA team.

This operation can be said to be completely opposite to Hyperliquid's operation. Polymarket chose to maintain the appearance of "procedural justice" and made it clear that it would not interfere in this incident. As expected, Polymarket's "inaction" triggered stronger criticism from the community.

In these two incidents, we once again saw the controversy surrounding the topic of "decentralization". Hyperliquid's decision to unplug the network was seen as "over-centralized behavior", while Polymarket's statement and the oracle manipulation incident earned it the evaluation of "pseudo-decentralization". The underlying reason is actually the dilemma of decentralized platforms in crisis management: human intervention violates the "decentralization principle", while letting it go will sacrifice user rights.

Although the Crypto industry has been developing for 17 years, to this day, achieving "true decentralization" is still constrained by many practical factors. From the perspective of objective development trends, as the leaders in their respective fields, the emergence of such incidents is actually a necessary stage for exposing their loopholes in governance, algorithmic rules, and mechanism design.

As mentioned above, Polymarket relies on UMA oracles for its decisions, but the voting rights of UMA tokens are highly concentrated in the hands of a few whales. Although the system is nominally "decentralized", it is still manipulated by capital, resulting in results that deviate from reality; although Hyperliquid's emergency decision is in the name of "decentralized voting", the validators are all from the official foundation, which is essentially centralized intervention. These governance defects and deficiencies may become an opportunity for Hyperliquid and Polymarket to improve algorithm mechanisms and risk management, and also point the way for their subsequent mechanism reforms and innovations.

On the other hand, I believe that the industry and the community can be more tolerant of decentralized platforms, allowing them to conduct centralized intervention in the short term in exchange for long-term evolution. Just as Hyperliquid decisively removed tokens and forced liquidation when facing the risk of treasury liquidation, although it violated the "decentralization principle", it protected the assets of most users. This is consistent with the intervention logic of the Ethereum Foundation in the The DAO incident in June 2016 - sacrificing short-term ideals to maintain the survival of the system.

At the same time, user trust also needs to be gradually established. Decentralized products cannot rely on powerful endorsements like CEX. Therefore, if users choose the former, they need to accept the potential risks of "code is law" and also give the project time to fix vulnerabilities and upgrade technology.

As for the decentralized products themselves, it is worth mentioning that many projects should have focused more on optimizing their products after obtaining a stable way to make profits. However, some projects stagnated their innovation after making money, and then started the "lying flat" mode. Just as Hyperliquid quickly became the leader of the decentralized perpetual contract market after the airdrop, it did not devote enough energy to solving its hidden dangers in automated liquidation mechanisms, responding to market manipulation, and liquidity management. Therefore, this time the "open card sniping" of the trading team, Binance, and OKX and other CEXs once again exposed its vulnerability as a decentralized platform. However, a blessing in disguise may also alert Hyperliquid, thereby forcing it to accelerate technology upgrades and improve risk control.

Currently, many decentralized products are at a crossroads where algorithmic mechanisms and governance models need innovation. The Polymarket incident shows that a voting mechanism that relies solely on token weights can easily evolve into "capital dictatorship", while the Hyperliquid case proves that completely eliminating human intervention may also amplify systemic risks. Exploring a "resilient decentralization" model will be a very challenging issue. For these products, short-term centralized intervention is only a stopgap measure, and in the long run, they must return to the essence of "code governance."