The recent $10.63 million exploit on Hyperliquid’s JELLY token has sparked a wave of criticism across the crypto community—and experts say it may not be an isolated case. According to Dr. Jan Philipp Fritsche, Managing Director at Oak Security, the incident wasn’t due to a coding bug, but rather a predictable and preventable design flaw that could impact other DeFi protocols too.
In a conversation with crypto.news, Fritsche explained that the attack was a coordinated market manipulation, not a technical glitch.
Inside the Exploit: What Went Wrong?
Here’s how it unfolded: an attacker opened a $5 million short position on JELLY, then removed their margin—essentially leaving the trade exposed. With Hyperliquid now holding the risky position, other traders stepped in and engineered a short squeeze. The result? The protocol absorbed massive losses, while the attacker cashed out with millions.
“The attacker opened huge opposing trades in JELLY, knowing one side would collapse and the other would profit. Since payouts weren’t capped and risk wasn’t isolated, Hyperliquid took the full hit,” explained Fritsche.
He called it a “textbook case of unpriced vega risk”—a term borrowed from traditional finance that refers to underestimating an asset’s volatility. According to Fritsche, this kind of oversight is still common across many DeFi protocols.
Industry Reaction: “FTX 2.0?”
The fallout from the exploit has been swift. Gracy Chen, CEO of Bitget, slammed Hyperliquid’s practices as “immature, unethical, and unprofessional,” even suggesting the exchange could become another FTX-style collapse if issues aren’t addressed.
Hyperliquid has promised to compensate affected users, but the damage to its credibility may be hard to undo. More critically, the event has reignited concerns over broader vulnerabilities in the DeFi ecosystem.
A Growing Problem in DeFi
The Jelly incident is part of a worrying trend. In 2024 alone, DeFi exploits caused over $308.7 million in losses—surpassing the amount lost to rug pulls, which totaled $192.9 million.
Just days after the Hyperliquid exploit, another DeFi platform, SIR.trading, was also hacked, losing its entire $355,000 total value locked (TVL).
