Hyperliquid Attack: Trader Burns $3M to Drain $5M From Vault

Decentralized derivatives platform Hyperliquid faced a sophisticated attack on November 12. An unknown trader sacrificed $3 million to manipulate the POPCAT market and trigger cascading liquidations. The coordinated strike drained nearly $5 million from the protocol’s Hyperliquidity Provider (HLP) vault.

The attack began when the perpetrator withdrew 3 million USDC from the OKX exchange. These funds were distributed across 19 new wallets. The attacker then deployed capital to execute a complex manipulation strategy targeting Hyperliquid’s liquidity infrastructure.

How the Hyperliquid Attack Unfolded

The trader opened more than $26 million in leveraged long positions tied to HYPE, Hyperliquid’s POPCAT-denominated perpetual contract. This massive position set the stage for the subsequent manipulation.

The attacker constructed a $20 million buy wall near the $0.21 mark. This artificial barrier created the illusion of strong market demand. Prices briefly rallied as traders interpreted the buy wall as genuine support.

When the attacker suddenly removed the buy wall, the market collapsed. Liquidity vanished almost instantly. Dozens of highly leveraged positions were forced into liquidation. The HLP vault absorbed these losses, suffering a $4.9 million hit.

Market Manipulation Strategy Targets Vault Structure

The attacker lost all $3 million, distinguishing this event from typical market manipulations that aim to generate direct profits. The deliberate sacrifice suggests the goal was structural damage rather than financial gain.

This exploit was designed to destabilize Hyperliquid’s liquidity architecture and subject automated liquidity provider systems to significant stress. The attack exposed vulnerabilities in how decentralized perpetual exchanges handle thin liquidity conditions.

Community reactions varied widely. One observer called it a “$3 million performance art piece,” while another described it as “peak degen warfare”. Some speculated the attacker may have hedged positions elsewhere, though no evidence supports this theory.

Third Major Hyperliquid Liquidation Incident

This marks Hyperliquid’s third similar attack in 2025, following incidents in March and July. The March attack involved the JELLY token and nearly resulted in $12 million in losses. Each incident has followed a similar pattern of exploiting illiquid markets and automated liquidation systems.

These incidents highlight a structural vulnerability: high-leverage, illiquid tokens, and community-funded liquidation pools create predictable targets for market manipulation. Hyperliquid’s success has made it an attractive target for sophisticated attackers.

Following the attack, Hyperliquid temporarily halted withdrawals. The platform activated its “vote emergency lock” function as a safety measure. Withdrawals resumed approximately one hour later. The platform has not officially linked the withdrawal freeze to the POPCAT event.

Decentralized Exchange Security Challenges

Hyperliquid is one of the fastest-growing decentralized perpetual exchanges, regularly posting over $10 billion in daily trading volume. The platform’s rapid growth has attracted both legitimate traders and malicious actors.

No smart contracts, custodial systems, or validator infrastructure were compromised. The attack succeeded purely through market manipulation tactics. This distinguishes it from traditional hacks that exploit code vulnerabilities.

The incident raises questions about automated liquidity providers in decentralized finance. When vaults automatically absorb liquidated positions, they become vulnerable to coordinated attacks. Platforms must balance automation with protective mechanisms.

Conclusion 

Hyperliquid has not announced changes to its vault mechanics following this attack. However, the DeFi ecosystem is likely reviewing how liquidity vaults absorb risk under coordinated pressure.

The attack serves as a reminder that decentralized platforms face unique challenges. Market manipulation can inflict significant damage even when attackers incur substantial losses themselves. Robust liquidity buffers and improved risk management systems are essential.