Hyperliquid’s HLP vault inherits risk through time-based unwinds, a lagging global-ADL trigger, and collateral withdrawals mid-position, together exposing the protocol to outsized losses from thin-cap perps and orchestrated liquidity shocks.
Oracle single-venue dependence, funding-rate grinding, “deposit-bomb” bank-runs, and cross-venue correlated squeezes can be combined to force human intervention without bankrupting the vault, thereby undermining HL’s decentralisation narrative.
Eight protocol-level mitigations (segregated tranches, depth-sensitive unwinds, real-time leverage rebasing, liquidity-weighted oracles, bond-backed Dutch auctions, pre-hedge routing, withdrawal cool-downs, and per-market ADL gates) jointly raise the attacker’s cost curve while capping tail losses.
After capturing a double-digit share of perp volume (11.2%, 24.1%, and 22.1% of Binance, Bybit, and OKX volumes, respectively), Hyperliquid is no longer a curiosity; it is a direct competitor. The response from incumbent CEXs was immediate and public. While HL’s vault was bleeding during the JELLY squeeze, Binance and OKX simultaneously listed the same micro-cap perp, adding external leverage to an already toxic event.
This memo maps out the playbook an adversary (say a cash-rich CEX or a cartel of them) could run against the HLP vault and weighs the protocol-level fixes that might blunt it. Crucially, an attacker doesn’t have to bankrupt Hyperliquid; forcing manual interventions are enough to brand the exchange as either fragile or centralised. Read the memo with that bar in mind.
Hyperliquid’s liquidation path is elegant in concept: if an account’s margin ratio breaches the maintenance threshold, its positions are auctioned into the orderbook; whatever cannot be matched fast enough is inherited by the Hyperliquidity-Provider (HLP) vault. The vault then dribbles the position out over a preset time curve to minimize immediate impact, collecting any residual margin as profit. In bullish markets this usually works: late liquidations tend to close green, and vault LPs enjoy steady yield.
The catch is that the unwind curve is time-based, not depth-based. During JELLY, bid depth evaporated while the vault was still scheduled to off-load equal clips each block. As each clip printed further down the ladder, the mark price widened, the unrealized loss ballooned, and the withdraw queue started blinking red.
A second fragility hides in the global ADL(auto-deleveraging) trigger. ADL fires only after the vault’s aggregate delta breaches a notional or PnL threshold. In practice a single thin-cap perp can eat most of that budget before the system recognizes systemic danger. The $12m unrealized loss on JELLY, generated by a token that traded less than $500k per day elsewhere, proves how skewed the exposure map can become.
Finally, Hyperliquid’s initial design let traders withdraw collateral mid-position. A whale could lever long ETH, withdraw the margin once funding flipped positive, and leave an under-margined timebomb for the vault. March’s patch forces ≥ 20% collateral to stay but does not fully ban intra-position withdrawals. Split the same strategy across fifty wallets and the vault still inherits twenty-times-too-large risk.
For majors, the oracle blends eight CEX feeds. For long-tail Solana tokens without CEX listings, the oracle collapses to Hyperliquid’s own spot book (whose price in turn shadows a single Raydium/OpenBook pool), creating a one-venue choke-point. Pump that pool 3x and the mark chases the manufactured wick before a broader VWAP (Volume-Weighted Average Price) catches up. March’s patch added an outlier-rejection filter that ignores extreme prints beyond a hard-coded volatility band (exact threshold undisclosed), but routine gradual pumps still slide through. A coordinated cartel can walk the price up slowly (inside the envelope) until liquidation thresholds trigger, then reverse.
Funding is calculated off HL’s mark minus a time-weighted external reference. Index is still HL-weighted, so cornering HL book skews both mark and index, only slower. During periods of thin external liquidity (e.g., 02:00–04:00 UTC) an attacker can corner the HL orderbook, push the mark 200~300 bps above a major CEX, and harvest positive funding while delta-neutral via OTC swaps (HL caps hourly funding at 4%/h, so upside is bounded). The vault eventually inherits the underwater long when the attacker margin-withdraws and walks away. This vector never touches the oracle; it exploits the self-referential nature of mark-derived funding.
Because vault deposits and withdrawals clear next block with no queue, an attacker can:
Inject a large, short-term deposit, swelling TVL and loosening the dynamic open-interest caps;
Execute a JELLY-style price squeeze, pushing a mark-to-market loss onto the vault;
Pull the entire deposit back out before retail LPs register the danger.
A March patch (after the ETH incident) forces traders to keep at least 20% collateral when they pull margin, yet that floor is often small enough that a multi-wallet attacker can still drain most of their stake before the panic starts. The vault’s headline TVL collapses after the loss is crystallized, intensifying panic among remaining LPs and widening the withdraw stampede. CEX insurance funds solve the same reflexivity with timed or size-capped withdraw windows; HLP unfortunately has none.
Many micro-caps share the same Solana DEX pool as their deepest off-chain liquidity. A cartel controlling that venue can attack three tokens for (almost) the cost of one, tripling mark-to-market damage versus capital deployed. Because ADL budgets are global, the trio of markets can breach the systemic threshold long before any single-token circuit breaker fires.
To show how those vectors interact, consider a cartel with significant risk capital (say $100~200m), an OTC desk, and influence on a mid-sized Solana AMM.
Seeding the Trap: The cartel deposits $50m into HLP. TVL flashes $410m (baseline $360m as of May 29, 2025), bumping dynamic OI caps higher. No alarms fire; inflows are bullish optics.
Thin-Cap Compression: The cartel crashes three shared-venue tokens (call them token A, B, C) 60% via aggressive sells on Solana. Simultaneously they open maximum-leverage shorts on HL across dozens of wallets, immediately withdrawing 80% margin. The loans are now naked; the vault will inherit if price rebounds.
ETH Whale Replica: One wallet opens a 25x ETH long (~150k ETH or ~$400m notional), posting about $16m margin, then pulls it to the 20% floor (~$3.2m). No mark premium or funding profit is sought; the aim is to leave a huge, under-margined long teetering near liquidation.
Mean-Reversion & Vault Inheritance: Solana market-makers snap A, B, C back to baseline; the vault inherits ~$25m loss on those shorts. A routine 2% ETH dip then trips the whale’s liquidation; the vault absorbs the bulk ETH and books ~$8m additional loss. Net impact: ~$33m, or about 9% of baseline equity. (Note: Why $33m? Each micro-cap short was ~$16m notional; a 60% rebound costs 0.6 × 16 ≈ $9~10 m, so three tokens ~$25m, for conservatism. The ETH leg scales the March loss: 1.5 × bigger position and a slightly deeper dip ~2 × loss → ~$8m.)
Deposit-Bomb Detonation: The cartel withdraws the original $50m deposit. TVL tumbles from roughly $410m to about $327m (410–50–33) while bots flag a nine-figure hole in vault PnL. Retail LPs panic; because withdrawals clear next block, tens of millions more disappear within minutes.
Decision Window: Validators take 6–8 minutes to react (as seen in the JELLY incident), either by freezing markets (again) to stop the bank-run, confirming centralization or letting withdrawals continue, risking insolvency as remaining LPs see TVL draining in real time.
Either path achieves the attacker’s meta-goal: demonstrate that Hyperliquid’s true stop-loss is human intervention, not code. The cartel may lose a few million on hedging slippage, but the reputational crater they create is worth orders of magnitude more.
Segregated Vault Tranches: One path to limiting contagion is to split the insurance pool into separate ERC-4626 vaults (majors, mid-caps, micro-caps) each with an immutable loss ceiling (for example, 2% of its own equity). Under that arrangement, a JELLY-scale blow-up would haircut only the micro-cap tranche, leaving BTC/ETH liquidity unaffected and retail LP confidence intact.
Depth-Sensitive Unwind Scheduler: Instead of dripping fixed-size clips every block, the vault could pace its unwind against live depth: no more than, say, 5% of top-of-book depth or $500k per block. Positions larger than $2m might then migrate to a short Dutch auction, drawing in outside bidders willing to absorb the risk. By matching exit speed to depth, the vault avoids self-hammering illiquid books and gains external capital at moments of peak stress.
Real-Time Leverage Rebasing: The risk engine might recalculate each market’s 30-minute ADV every thirty seconds and cap total open interest at ten times that rolling figure, automatically adjusting wallet leverage tiers. If liquidity thins, the ceiling contracts before an attacker can warehouse toxic size; when depth returns, leverage expands without governance intervention.
Liquidity-Weighted Multi-Venue Oracle: A more manipulation-resistant index could draw from at least three venues, weighting each feed by executed volume and two-sided depth (Depth weighting on AMMs could proxy by virtual depth or pool TVL). Updates might be skipped whenever combined depth on either side falls below $50k, extending the previous TWAP for thirty seconds. Slow-motion mark manipulation would then require capital across multiple venues for longer than many adversaries can stomach.
Dutch-Auction Liquidations With Pre-Funded Bidders: A permissionless clearinghouse that keeps a roster of addresses with 0.5% performance bonds could run 20-second descending auctions for any liquidation over $2m. Risk transfers to traders who want it, and the vault’s downside is capped at the auction discount instead of the full position delta.
Pre-Liquidation Hedge Router: Where liquidations above $5m look imminent, an on-chain router might fire one-way pegged hedge orders on a major CEX, then publish the execution receipt within a second. Offsetting delta ahead of the on-chain unwind turns directional exposure into a known hedge cost rather than an open-ended loss.
Withdrawal Cool-Down Throttle: Another option is to move from next-block withdrawals to a linear six-hour vest whenever vault equity falls more than 2% in thirty minutes. Because the rule is transparent and ex-ante, LPs can still exit but lose the reflexive speed that fuels bank-runs.
Per-Market ADL Gates: Auto-deleverage could be applied on a per-market basis once unrealised loss reaches, say, 1% of total vault equity multiplied by a liquidity factor (1.0 for majors, 0.25 for thin caps). Thin markets would exhaust only their own mini-budget, preserving broader exchange health without human intervention.
*Parameter note: All numerical thresholds in the foregoing counter-measures are illustrative waypoints. They exist so readers can see the levers, debate where the dials should sit, and focus on the mechanism rather than on whether a guard-rail is needed in the first place.
These ideas layer rate limits, depth awareness, and explicit loss caps so that oracle spoofing, size abuse, or deposit-timing gimmicks each collide with a hard, deterministic guard-rail long before validators feel pressure to step in. None is a silver bullet, and each carries engineering trade-offs, but taken together they raise the cost curve for attackers while shrinking the protocol’s blast radius.