Expert Warns Hyperliquid’s $10.6M JELLY Exploit Could Hit Other DeFi Protocols

Hyperliquid Exploit Shakes Security Throughout DeFi

The Hyperliquid platform is in the limelight after a $10.63 million exploit of its JELLY token. Experts characterize the breach as not a traditional bug but a risk oversight that can potentially expose other DeFi protocols to the same vulnerabilities.

Dr. Jan Philipp Fritsche, a managing director at blockchain audit company Oak Security, analyzed the cause of the exploit as not code failure but unpriced risk—a long-established principle of conventional finance that DeFi platforms often ignore.

How the JELLY Exploit Unfolded

The attacker, in Fritsche’s view, manipulated the market by shorting JELLY by $5 million and then draining the margin. Hyperliquid was left with the exposure, and other users exploited this vulnerability through a group short squeeze.

“The attacker created massive counter positions in JELLY, wagering that one side would break and the other would be covered,” Fritsche said. “Because payouts were not capped and risk was not contained, the protocol absorbed the loss—and the attacker made off with millions.”

A Broader DeFi Risk

Fritsche referred to the attack as a “textbook example of unpriced vega risk,” explaining how protocols are prone to overlook implied volatility. Lacking proper means of risk pricing, most decentralized exchanges are left exposed to such strategic attacks.

Industry Reactions and Implications

Backlash poured in in the wake of the attack. Bitget CEO Gracy Chen labeled Hyperliquid’s architecture as “immature, unethical, and unprofessional” and drew parallels between it and the now-defunct FTX.

While Hyperliquid has promised to reimburse affected users, its reputation has taken a major hit.

DeFi’s Mounting Losses

The JELLY exploit is part of a larger pattern in DeFi. In 2024 alone, exploits cost $308.7 million—more than the $192.9 million lost to rug pulls. Just days after the Hyperliquid attack, another DeFi protocol, SIR.trading, was drained of its entire $355,000 total value locked.

The event is a reminder that as DeFi grows, so must its security maturity lest history repeat itself.