When the loyal messenger was weaponized, the mark price, the impartial judge, became the fuse that ignited Hyperliquid's chain liquidation storm.
In March 2025, JELLY, a niche token with a daily trading volume of less than $2 million, triggered a multi-million dollar liquidation on Hyperliquid. Shockingly, the attacker neither tampered with the smart contract nor exploited traditional code vulnerabilities. Instead, they weaponized the platform's core security mechanism—the mark price.
This wasn't a hacker attack, but a compliance attack on the system's rules. The attacker exploited the platform's publicly available computational logic, algorithmic processes, and risk control mechanisms, launching a codeless attack that was highly destructive to both the market and traders. The mark price, supposedly an anchor of market neutrality and security, was transformed from a shield into a sharp weapon in this incident.
This article will analyze the systemic risks of the mark price mechanism in altcoin perpetual swaps from both theoretical and practical perspectives, and provide a detailed review of the Jelly-My-Jelly attack. This incident not only reveals the structural vulnerabilities of oracle design and the double-edged sword nature of innovative liquidity pools (HLP Vaults), but also exposes the inherent asymmetry in the protection of user funds under current mainstream liquidation logic during extreme market conditions.
Part 1: The core paradox of perpetual contracts - the tilted liquidation mechanism caused by a false sense of security
1.1 Mark Price: Liquidation Tendency Brought by a Consensus Game Falsely Assuming Security
To understand how the mark price becomes an attack vector, we must first break down its construction. While the calculation methods vary slightly between exchanges, the core principle remains consistent: a three-value median mechanism built around the "index price."
The Index Price is the cornerstone of the Mark Price. It doesn't originate from the derivatives exchange itself, but rather is calculated by taking a weighted average of the asset's prices across multiple mainstream spot trading platforms (such as Binance, Coinbase, and Kraken). It aims to provide a fair reference price across platforms and regions.
A typical mark price calculation is as follows:
Mark Price = Median (Price1, Price2, Last Traded Price)
Price1 = Index Price × (1 + Funding Rate Basis): Anchors the contract price to the index price and takes market expectations into account.
Price2 = Index Price + Moving Average Basis: used to smooth short-term price anomalies.
Last Traded Price = The latest traded price on the derivatives platform.
The original intention of introducing the median was to eliminate outliers and improve price stability. However, the security of this design is entirely based on a key assumption: the number of input data sources is sufficient, the distribution is reasonable, the liquidity is strong, and it is difficult to be manipulated by coordination .
However, in reality, the spot markets for most altcoins are extremely weak. Once an attacker can control the prices on a few low-liquidity platforms, they can "taint" the index price, legitimately injecting malicious data into the mark price through a formula. This attack can trigger large-scale leveraged liquidations at minimal cost, triggering a chain reaction.
In other words, while aggregation mechanisms are meant to disperse risk, in markets with sparse liquidity, they instead create a "centralized vulnerability" that attackers can control. The more a derivatives platform emphasizes the transparency and predictability of its rules, the more attackers can "programmatically exploit the rules" and construct a compliant path for sabotage.
1.2 Liquidation Engine: The Platform’s Shield and Blade
When market prices move rapidly in an unfavorable direction, traders' margins will be eroded by floating losses. Once the remaining margin falls below the "Maintenance Margin", the liquidation engine will be activated.
The core triggering factor in these processes is the Mark Price , not the platform's latest transaction price. This means that even if the current market price hasn't yet reached your liquidation threshold, as soon as the "invisible" Mark Price is reached, liquidation will be triggered immediately.
What is more worthy of vigilance is the "forced liquidation" (or early liquidation) mechanism.
To mitigate the risk of margin calls, risk control systems on many exchanges often employ conservative liquidation parameters. When forced liquidation is triggered, even if the closing price is better than the price that would have eliminated losses, the platform typically does not return this "forced liquidation surplus" but instead deposits it directly into the platform's insurance fund. This can create the illusion that traders are experiencing premature liquidation despite having margin, effectively reducing their accounts to zero.
This mechanism is particularly common in illiquid assets . To hedge their own risks, platforms adjust liquidation thresholds to be more conservative, making it easier for positions to be "early closed" during price fluctuations. While the logic is sound, the result is a subtle misalignment between the interests of platforms and traders in extreme market conditions.
The liquidation engine should be a neutral risk control tool, but in terms of profit attribution, parameter selection, and trigger logic, it has a tendency to profitize the platform.
1.3 Mark Price Invalidation Leads to Distortion of the Liquidation Engine
Under the platform's tendency to be averse to losses, the sharp fluctuations in index prices and mark prices further exacerbate the advance (or backward) shift of the forced liquidation money.
The theory of mark price provides a fair, manipulation-resistant price benchmark by aggregating data from multiple sources and using a median algorithm. However, while this theory may hold true when applied to liquid mainstream assets, its effectiveness faces significant challenges when applied to altcoins with thin liquidity and concentrated trading venues.
The failure of the median: The statistical dilemma of centralized data sources
Validity in large data sets : Consider a price index consisting of 10 independent, highly liquid data sources. If one of these sources, for some reason, produces an extreme quote, the median algorithm can easily identify it as an outlier and ignore it, taking the median price as the final price, thus maintaining the stability of the index.
Vulnerability in small datasets : Now, let’s consider a typical altcoin scenario.
Three-data-source scenario : If an altcoin's mark price index consists of only spot prices from three exchanges (A, B, and C), the median is the middle price of the three. If a malicious actor simultaneously manipulates the prices on two of these exchanges (e.g., A and B), then regardless of the authenticity of C's price, the median will be determined by the manipulated prices of A and B. In this case, the median algorithm provides little protection.
Dual Data Source Scenario : If the index contains only two data sources, the median is mathematically equivalent to the average of the two prices. In this case, the algorithm completely loses its ability to remove outliers. Large fluctuations in either data source are directly and undimmed transmitted to the mark price.
For the vast majority of altcoins, trading depth and the number of exchanges listed on them are extremely limited, making their price indices highly susceptible to the aforementioned "small dataset" trap. Therefore, the sense of security offered by exchanges' claimed "multi-source indices" is often an illusion in the altcoin world. The last traded price is often equated with the mark price.
Part 2: The Oracle Dilemma: When Spot Liquidity Dries Up and Becomes a Weapon
The foundation of the mark price is the index price, which in turn originates from the oracle. Whether on a CEX or a DEXi, the oracle acts as a bridge for information transmission between on-chain and off-chain transactions. However, while this bridge is crucial, it is particularly fragile when liquidity is scarce.
2.1 Oracle: A fragile bridge between on-chain and off-chain
Blockchain systems are inherently closed and deterministic, meaning smart contracts cannot actively access off-chain data, such as the market price of an asset. This is where price oracles come in. Oracles are middleware systems that securely and reliably transmit off-chain data to the blockchain, providing real-world input for smart contracts to operate.
In core DeFi infrastructure, such as perpetual contract trading platforms or lending protocols, the price data provided by oracles almost forms the cornerstone of their risk management logic. However, an often-overlooked fact is that an "honest" oracle does not necessarily report "reasonable" prices. The oracle's responsibility is simply to faithfully record the state of the external world it can observe; it does not determine whether prices deviate from fundamentals. This characteristic reveals two distinct attack paths:
Oracle Exploit : An attacker uses technical means to tamper with the oracle data source or protocol, causing it to report incorrect prices.
Market Manipulation : Attackers manipulate external markets to deliberately push up or down prices, while properly functioning oracles faithfully record and report these manipulated prices. While the on-chain protocol remains intact, information poisoning can lead to unexpected reactions.
The latter is exactly the essence of the Mango Markets and Jelly-My-Jelly incidents: it was not that the oracle was compromised, but that its "observation window" was contaminated.
2.2 Fulcrum of Attack: When Liquidity Defects Become Weapons
The core of this type of attack is to exploit the target asset's liquidity disadvantage in the spot market. For thinly traded assets, even small orders can cause drastic price fluctuations, providing opportunities for manipulators to exploit.
The October 2022 attack on Mango Markets is a prime example. Attacker Avraham Eisenberg exploited the extreme liquidity depletion of MNGO, the platform's governance token (daily trading volume at the time was less than $100,000). By investing approximately $4 million in multiple exchanges, he successfully drove the price of MNGO up by over 2,300% in a very short period of time. This "abnormal price" was fully recorded by oracles and fed to the on-chain protocol, causing its borrowing limits to skyrocket, ultimately "legally" draining the platform of its entire assets (approximately $116 million).
Attack Path Explained: Five Steps to Breaking Through Protocol Defenses
Target Selection : The attacker first screens the target tokens, which usually meet the following conditions: a perpetual contract is launched on a mainstream derivatives platform; the oracle price comes from several known spot exchanges with low liquidity; the daily trading volume is low, the order book is sparse, and it is extremely easy to manipulate.
Capital Acquisition : Most attackers obtain temporary, large amounts of capital through “flash loans.” This mechanism allows assets to be borrowed and returned in a single transaction, without requiring any collateral, significantly reducing the cost of manipulation.
Spot Market Blitz : An attacker places a large number of buy orders simultaneously across all exchanges monitored by the oracle within a very short period of time. These orders quickly sweep away all sell orders, driving the price to a high level—far away from its true value.
Oracle Contamination : Oracles faithfully read prices from these manipulated exchanges. Even with anti-volatility mechanisms like medians and weighted averages, they are unable to protect against simultaneous manipulation from multiple sources. The resulting index price is severely contaminated.
Mark Price Infection : Contaminated index prices enter derivatives platforms, affecting mark price calculations. Liquidation engines misjudge risk levels, triggering large-scale liquidations. Traders suffer heavy losses, while attackers profit from reverse positions or borrowing.
The attacker's playbook: The double-edged sword of transparency
Both CEX and DEX protocols often promote open source transparency, publicly disclosing details such as their oracle mechanisms, data source weighting, and price refresh rates in an effort to build user trust. However, for attackers, this information becomes a "manual" for developing attack plans.
Take Hyperliquid, for example. Its oracle architecture publicly lists all data source exchanges and their weights. This allows an attacker to precisely calculate how much capital to invest in each exchange with the lowest liquidity to maximize the distortion of the final weighted index. This "algorithmic engineering" makes the attack controllable, predictable, and cost-effective.
Mathematics is simple, but people are complex.
Part 3: Hunting Grounds — Analysis of Hyperliquid’s Structural Risks
After understanding the attack mechanism, the attackers next needed to choose a suitable battlefield: Hyperliquid. While oracle manipulation is a common attack method, the "Jelly-My-Jelly" incident occurred on Hyperliquid and caused such severe consequences due to the platform's unique liquidity structure and liquidation mechanism. While these innovative designs, designed to improve user experience and capital efficiency, also unexpectedly provided an ideal hunting ground for attackers.
3.1 HLP Treasury: Democratized Market Maker and Clearing Counterparty
One of Hyperliquid's core innovations is its HLP Treasury, a dual-purpose pool of funds managed by the protocol. (Detailed HLP introduction:
https://x.com/agintender/status/1940261212954173716
)
First, HLP acts as the platform's active market maker. It allows community users to deposit USDC into its vault, participate in the platform's automated market-making strategies, and share in the profits (or losses) proportionally. This "democratized" market-making mechanism enables HLP to continuously provide buy and sell orders for numerous illiquid altcoins. As a result, even tokens with a small market capitalization and extremely low liquidity, such as JELLY, can support leveraged positions worth millions of dollars on Hyperliquid—a feat difficult to achieve on traditional exchanges. (In simple terms, it allows for the ability to open positions.)
However, this design not only attracts speculators, but also attracts something more dangerous: attackers who deliberately want to manipulate the market.
Crucially, HLP also serves as the platform's "liquidation stop-loss backup," serving as the final liquidation counterparty . When leveraged positions are forced to close and there aren't enough liquidators willing to take over, the protocol automatically transfers these high-risk positions to the HLP vault, taking the full amount at the price determined by the oracle.
The consequence of this mechanism is that HLP becomes a deterministically exploitable, completely incapable of independent judgment. When deploying their strategy, attackers can fully predict who will take over their toxic positions once liquidation is triggered—not a random and unpredictable counterparty in the market, but an automated system that executes smart contract logic and acts 100% by the rules: the HLP vault.
3.2 Structural flaws in the liquidation mechanism
The Jelly-My-Jelly incident exposed a fatal vulnerability of Hyperliquid under extreme market conditions, the root cause of which was the funding structure and liquidation model within the HLP vault.
During the attack, there was no strict isolation between the "Liquidation Reserve Pool," which handled liquidated positions, and other pools used for market-making and other strategies. They shared the same collateral. When the attacker's $4 million short position was liquidated due to a surge in the Mark Price, the entire position was transferred to the Liquidation Reserve Pool. As the price of JELLY continued to rise, the losses on this position continued to grow.
The attacker simply triggers liquidation (actively reducing margin) to seamlessly dump their losing positions onto the system's "buyer"—the HLP vault. The attacker is well aware that the protocol's rules will force HLP to take over at the most unfavorable price point, making them their "unconditional buyer."
Normally, when losses on positions become so significant as to threaten the stability of the platform system, the automatic position reduction (ADL) mechanism should be triggered, forcing users with opposing profit trends to reduce their positions to share the risk. However, this time, ADL did not activate.
The reason for this is that, despite the Liquidation Reserve Pool itself being deeply in deficit, the system determined the overall health of the HLP Vault remained healthy because it could draw on collateral from other strategy pools within the HLP Vault. Consequently, the risk control mechanism was not triggered. This shared collateral mechanism inadvertently bypassed the ADL systemic risk mitigation, concentrating losses that should have been borne by the market as a whole within the HLP Vault.
Part 4: Case Study - A Complete Review of the Jelly-My-Jelly Attack
On March 26, 2025, a meticulously orchestrated attack unfolded on Hyperliquid, targeting Jelly-My-Jelly (JELLY). This attack, ingeniously combining liquidity manipulation, a deep understanding of oracle mechanisms, and exploitation of platform architectural weaknesses, became a classic case study in deconstructing modern DeFi attack patterns.
4.1 Phase 1: Layout - $4 million short trap
This attack was not an impulsive one. On-chain data shows that the attacker tested their strategy through a series of small transactions over the ten days leading up to the incident, clearly preparing for their final move.
On March 26th, with JELLY's spot price fluctuating around $0.0095, the attacker initiated the first phase of their operation. Multiple wallet addresses participated, with address 0xde96 being the key executor. Through self-trading (acting as both buyer and seller), the attacker quietly built a short position worth approximately $4 million in JELLY's perpetual contract market, supplemented by a long arbitrage position totaling $3 million. This arbitrage trading aimed to maximize open interest (OI) while avoiding triggering abnormal market volatility, thereby laying the groundwork for subsequent price manipulation and induced liquidations.
4.2 Phase 2: Raid — Blitzkrieg in the Spot Market
After the deployment was complete, the attack entered its second phase: rapidly driving up the spot price. JELLY was a coveted target for manipulators. Its total market capitalization was only approximately $15 million, and its order books on major exchanges were extremely thin. According to Kaiko Research data, its 1% market depth was only $72,000, far lower than other similar tokens.
The attacker exploited this vulnerability and launched a simultaneous buy campaign across multiple centralized and decentralized exchanges. Lacking selling support, the spot price of JELLY surged rapidly. Starting at $0.008, it soared over 500% in less than an hour, reaching a peak of $0.0517. Simultaneously, trading volume also exploded. On Bybit alone, JELLY trading volume exceeded $150 million that day, setting a new all-time high.
4.3 Phase 3: Detonation — Oracle Pollution and Liquidation Waterfall
The sharp rise in spot prices was quickly transmitted to Hyperliquid's mark price system. Hyperliquid's oracle mechanism uses a multi-source weighted median algorithm, integrating spot data from multiple exchanges, including Binance, OKX, and Bybit. Because the attackers acted simultaneously across these key sources, the resulting aggregated index price was effectively corrupted, driving up the platform's mark price simultaneously.
The sudden jump in the mark price directly triggered the attacker's previously deployed short position. As losses grew, the $4 million position triggered forced liquidation. This was not a sign of a failed attack, but rather a key component of the attack design.
Because the HLP vault, acting as the platform's clearing counterparty, unconditionally accepted the order based on smart contract logic, and the clearing system failed to trigger the ADL (Automatic Liquidation) mechanism to mitigate risk, the entire high-risk position was directly pressed onto HLP. In other words, the attacker successfully "socialized" their own liquidation losses, leaving HLP's liquidity providers to foot the bill for their manipulation.
4.4 Phase 4: Aftermath — Emergency Removal and Market Reflection
As Hyperliquid descended into chaos, external markets reacted with mixed reactions. Within an hour of JELLY's price being manipulated to a high level, Binance and OKX simultaneously launched JELLY perpetual contracts. This move was widely interpreted by the market as an attempt to exploit the situation of its competitor, Hyperliquid, further exacerbating JELLY's market volatility and indirectly increasing potential losses for the HLP vault.
Faced with tremendous pressure from the market and the community, Hyperliquid validator nodes urgently voted and passed a number of response measures: immediately and permanently delisting the JELLY perpetual contract; and fully compensating all affected users of non-attack addresses with funds from the foundation.
According to Lookonchain data, at the height of the attack, the HLP vault's unrealized losses reached as high as $12 million. Although Hyperliquid officials ultimately reported total losses within 24 hours at $700,000, the entire incident undoubtedly had a profound impact on the platform's structure and risk control system.
JELLY event processConclusion - The "Marking Illusion" and Defense of Perpetual Contracts
The attackers in the Jelly-My-Jelly incident didn't rely on complex contract vulnerabilities or cryptographic techniques. Instead, they identified and exploited the mathematical structural flaws of the mark price generation mechanism—small data sources, median aggregation, fragmented liquidity, and the operation of the market's clearing mechanism. This attack doesn't require sophisticated hacking techniques, only reasonable market operations and a deep understanding of the protocol logic.
The fundamental problem with mark price manipulation is that:
High correlation of oracle data : seemingly “multi-source” price inputs actually come from several exchanges with significant liquidity overlap. Once a few key exchanges are compromised, the entire price index becomes useless.
The aggregation algorithm's tolerance to outliers : The median is effective in large samples, but almost powerless in small samples; when the input source itself is "bought out", no matter how sophisticated the algorithm is, it cannot save the situation.
The "blind faith" problem in the liquidation system : Almost all CEX and DeFi platforms assume that the marked price is fair, thus using it as a liquidation trigger. However, in reality, this trust is often built on tainted data.
Establishing true “resistance to manipulation” between algorithms and games
The mark price shouldn't be a mathematically correct but theoretically fragile value, but rather a mechanism that maintains stability under real market pressure. The ideal of DeFi is to build trust through code, but code isn't perfect. It can entrench biases, amplify flaws, and even become a weapon in the hands of attackers.
The Jelly-My-Jelly incident was no accident, nor will it be the last. It serves as a warning: without a deep understanding of the game structure, any liquidation mechanism based on "determinism" is a potential entry point for arbitrage. For a mechanism to mature, it requires not only faster matching speeds and higher capital efficiency but also a self-reflective ability at the mechanism design level to identify and mitigate systemic risks masked by "mathematical beauty."
May we always maintain a sense of awe for the market.
Mathematics is simple, people are complex.
Only historical games are repeated.
Know that it is so, and know why it is so.
