The Median Trap: How JELLY Manipulates Mark Price to Trigger Hyperliquid's Liquidation Domino?

When the loyal messenger is weaponized – the mark price, this fair judge, becomes the fuse that ignites the Hyperliquid chain liquidation storm.

In March 2025, a little-known token called JELLY, with a daily trading volume of less than $2 million, triggered a multi-million dollar liquidation storm on Hyperliquid. Shockingly, the attacker neither tampered with the smart contract nor exploited traditional code vulnerabilities, but instead turned the platform’s most core security mechanism—the mark price—into a weapon.

This is not a hacking attack, but a “compliance attack” on the system rules. The attackers exploited the platform’s publicly available computational logic, algorithm processes, and risk control mechanisms to create a “no-code attack” that was extremely damaging to both the market and traders. The mark price, which should serve as a “neutral and safe” anchor for the market, turned from a shield into a deadly weapon in this incident.

This article will analyze the systemic risks of the mark price mechanism in the perpetual contract market for altcoins from both theoretical and practical perspectives, and conduct a detailed review of the Jelly-My-Jelly attack incident. This event not only revealed the structural vulnerabilities in oracle design and the double-edged sword properties of innovative liquidity pools (HLP Vault), but also exposed the inherent asymmetry of current mainstream liquidation logic in protecting user funds during extreme market conditions.

Part One: The Core Paradox of Perpetual Contracts - The Slant of the Liquidation Mechanism Brought by False Sense of Security

1.1 Mark Price: A Liquidation Tendency Brought by a Misconceived Safe Consensus Game

To understand how the mark price becomes an entry point for attacks, we must first break down its structural logic. Although the calculation methods of different exchanges vary slightly, their core principles are highly consistent—a three-value median mechanism built around the “index price.”

• The Index Price is the cornerstone of the mark price. It is not derived from the derivatives exchange itself, but is calculated by taking a weighted average of the prices of the asset on multiple mainstream spot platforms (such as Binance, Coinbase, Kraken, etc.), aiming to provide a fair reference price across platforms and regions.

A typical mark price calculation method is as follows:

Mark Price = Median (Price1, Price2, Last Traded Price)

• Price1 = Index Price × (1 + Funding Rate Basis ): Anchoring the contract price to the index price while considering market expectations.
• Price2 = Index Price + Moving Average Basis: used to smooth short-term price anomalies.
• Last Traded Price = The latest transaction price on the derivatives platform.

The introduction of the median is intended to eliminate outliers and enhance price stability. However, the safety of this design is entirely based on a critical assumption: that the number of input data sources is sufficient, the distribution is reasonable, the liquidity is strong, and it is difficult to be collaboratively manipulated.

However, in reality, the spot market for the vast majority of altcoins is extremely weak. Once an attacker can control the prices of several low-liquidity platforms, they can “pollute” the index price, thereby injecting malicious data into the mark price through the formula in a legitimate way. This kind of attack can leverage large-scale leveraged liquidations at minimal cost, triggering a chain reaction.

In other words, the aggregation mechanism is intended to disperse risks, but in a market with sparse liquidity, it instead creates a “centralized weakness” that can be controlled by attackers. The more a derivatives platform emphasizes the transparency and predictability of its rules, the more attackers can “programmatically exploit the rules” to construct a compliant path of destruction.

1.2 Liquidation Engine: The shield of the platform, but also the blade

When the market price fluctuates rapidly in an unfavorable direction, the trader’s margin will be eroded by floating losses. Once the remaining margin falls below the “Maintenance Margin” level, the liquidation engine will be triggered.

In these processes, the core trigger criterion is the mark price (Mark price), rather than the platform’s latest transaction price. This means that even if the current market transaction price has not yet reached your liquidation line, as long as that “invisible” mark price is reached, liquidation will be triggered immediately.

What is even more concerning is the “forced liquidation” (or early settlement) mechanism.

In many exchanges, in order to avoid liquidation risks, the risk control systems often adopt conservative liquidation parameters. When forced liquidation is triggered, even if the liquidation price is better than the actual zero-loss price, the platform usually does not return this part of the “forced liquidation surplus” but instead directly injects it into the platform’s insurance fund. This leads traders to have the illusion of “clearly having margin, yet being liquidated early,” causing their accounts to go directly to zero.

This mechanism is particularly common in assets with low liquidity. To hedge its own risks, the platform will set the liquidation line more conservatively, making it easier for positions to be “liquidated early” during price fluctuations. The logic is reasonable, but the result creates a subtle misalignment of interests between the platform and traders in extreme market conditions.

The liquidation engine should be a neutral risk control tool, but in terms of profit attribution, parameter selection, and triggering logic, it exhibits a tendency towards platform profitability.

1.3 The failure of the mark price leads to distortion in the liquidation engine

On this platform, the tendency to hate losses has further exacerbated the sharp fluctuations in index price and mark price, leading to the forward (backward) shift of forced liquidation funds.

The theory of mark price provides a fair and manipulation-resistant price benchmark by aggregating multi-source data and using a median algorithm. However, this theory may hold when applied to liquid mainstream assets, but its effectiveness will face severe challenges when confronted with illiquid and exchange-concentrated altcoins.

The Failure of the Median: The Statistical Dilemma of Concentrated Data Sources

• Effectiveness in large datasets: Assume a price index contains 10 independent, highly liquid data sources. If one of the data sources produces an extreme quote for any reason, the median algorithm can easily identify it as an outlier and disregard it, taking the middle value as the final price, thus maintaining the stability of the index.
• Vulnerabilities in small datasets: Now, we consider a typical altcoin scenario.
• Three Data Source Scenario: If the mark price index of a cryptocurrency only includes the spot prices from three exchanges (A, B, C). At this point, the median is the one that ranks in the middle among the three prices. If a malicious actor simultaneously manipulates the prices of two exchanges (for example, A and B), then no matter how accurate the price of C is, the median will be determined by the manipulated prices of A and B. At this point, the protective effect of the median algorithm is almost zero.
• Dual data source scenario: If the index only contains two data sources, the median is mathematically equivalent to the average of the two prices. In this case, the algorithm completely loses its ability to exclude outliers. Any drastic fluctuation in either data source will directly and without attenuation affect the mark price.

For the vast majority of altcoins, their trading depth and the number of listed exchanges are very limited, which makes their price indices easily fall into the aforementioned “small data set” trap. Therefore, the sense of security brought by the exchange’s claim of “multi-source index” is often just an illusion in the world of altcoins. Many times, the latest transaction price is often equated with the mark price.

Second Part: The Oracle Dilemma: When Spot Liquidity Dwindles Becomes a Weapon

The foundation of the mark price is the index price, and the source of the index price is the oracle. Whether it’s CEX or DEX, oracles play the role of a bridge for information transmission between on-chain and off-chain. However, this bridge, while critical, is exceptionally fragile during times of liquidity scarcity.

2.1 Oracle: The Fragile Bridge Connecting On-chain and Off-chain

The blockchain system is essentially closed and deterministic, and smart contracts cannot actively access off-chain data, such as the market price of assets. Price Oracles have emerged as a middleware system responsible for securely and reliably transmitting off-chain data to the on-chain, providing “real-world” information inputs for the operation of smart contracts.

In perpetual contract trading platforms or lending protocols and other core DeFi infrastructures, the price data provided by oracles is almost the cornerstone of their risk management logic. However, a commonly overlooked fact is that an “honest” oracle does not mean it reports a “reasonable” price. The oracle’s duty is merely to accurately record the external world state it can observe; it does not judge whether the price deviates from fundamentals. This characteristic reveals two distinctly different attack paths:

• Oracle Exploit: An attacker manipulates the data source or protocol of the oracle through technical means, causing it to report incorrect prices.
• Market Manipulation: Attackers deliberately drive up or push down prices by manipulating external markets, while normally functioning oracles accurately record and report this “manipulated” market price. The on-chain protocol has not been compromised, but it experiences unintended reactions due to “information poisoning.”

The latter is the essence of the Mango Markets and Jelly-My-Jelly events: it is not that the oracle was compromised, but rather that its “observation window” was contaminated.

2.2 The Pivot of Attack: When Liquidity Deficits Become Weapons

The core of this type of attack lies in exploiting the liquidity disadvantage of the target asset in the spot market. For assets with thin trading, even small orders can cause drastic price fluctuations, thereby providing an opportunity for manipulators.

The attack on Mango Markets in October 2022 is a “textbook case.” The attacker Avraham Eisenberg exploited the extreme liquidity exhaustion of its governance token MNGO (with a daily trading volume of less than $100,000 at the time) by concentrating approximately $4 million in purchases across multiple exchanges, successfully driving the price of MNGO up by over 2300% in a very short time. This “anomalous price” was fully recorded by oracles and fed to the on-chain protocol, causing its borrowing limits to skyrocket, ultimately “legally” draining the platform’s entire assets (approximately $116 million).

Attack Path Detailed Explanation: Five Steps to Breach the Protocol Defense Line

1. Target Selection: The attacker first selects target tokens, usually meeting the following conditions: perpetual contracts have been launched on a certain mainstream derivatives platform; the oracle price comes from several known, illiquid spot exchanges; daily trading volume is low, and the order book is sparse, making it easy to manipulate.
2. Capital Acquisition: Most attackers obtain temporary large amounts of funds through Flash Loans. This mechanism allows borrowing and repaying assets in a single transaction without any collateral, significantly reducing the cost of manipulation.
3. Spot Market Blitz: Attackers place a large number of buy orders simultaneously across all exchanges monitored by the oracle in a very short period of time. These orders quickly clear the sell orders, pushing the price to a high level—far from its true value.
4. Oracle Contamination: The oracle faithfully reads prices from the manipulated exchanges mentioned above. Even with mechanisms like median and weighted average to resist volatility, it is difficult to withstand simultaneous multi-source manipulation. The resulting index price is severely contaminated.
5. Mark Price Infection: Contaminated index prices enter the derivatives platform, affecting the calculation of the mark price. The liquidation engine misjudges the risk range, triggering a large-scale “liquidation,” resulting in significant losses for traders, while attackers can achieve arbitrage through reverse positions or lending operations.

Attackers’ “Battle Manual”: The Double-Edged Sword of Transparency

Whether it is a CEX or DEX protocol, they often tout “open source and transparency” as virtues, disclosing details such as their oracle mechanism, data source weights, and price refresh frequency, with the aim of building user trust. However, for attackers, this information becomes a “manual” for formulating attack plans.

Taking Hyperliquid as an example, its oracle architecture publicly lists all data source exchanges and their weights. Attackers can precisely calculate how much capital to invest in each exchange with the weakest liquidity, thereby maximizing the distortion of the final weighted index. This kind of “algorithm engineering” makes attacks controllable, predictable, and minimizes costs.

Mathematics is simple, but people are complex.

Part Three: Hunting Grounds — Structural Risk Analysis of Hyperliquid

After understanding the principles of the attack, the “attacker” next needs to choose a suitable “battlefield” - Hyperliquid. Although manipulating the oracle is a common attack method, the reason why the “Jelly-My-Jelly” incident could occur on Hyperliquid and cause severe consequences lies fundamentally in the platform’s unique liquidity architecture and liquidation mechanism. These designs, aimed at enhancing user experience and capital efficiency, while innovative, unexpectedly provide attackers with an ideal “hunting ground.”

3.1 HLP Treasury: Democratized Market Makers and Clearing Counterparties

One of the core innovations of Hyperliquid is its HLP treasury—a fund pool managed uniformly by the protocol, serving dual functions. (Detailed introduction to HLP:

）

First, HLP acts as the proactive market maker for the platform. It allows community users to deposit USDC into the treasury, participate in the platform’s automated market-making strategies, and share profits (or losses) proportionally. This “democratized” market-making mechanism enables HLP to continuously provide buy and sell orders for numerous illiquid altcoins. As a result, even tokens with small market capitalization and extremely low liquidity, like JELLY, can support leveraged positions in the millions of dollars on Hyperliquid—something that is difficult for traditional exchanges to achieve. (In simpler terms, it means positions can be built.)

However, this design not only attracts speculators but also draws the attention of a more dangerous presence: attackers who deliberately manipulate the market.

More importantly, HLP also serves as the platform’s “liquidation stop-loss backstop,” meaning it acts as the final clearing counterparty. When leveraged positions are forcibly liquidated and there are not enough liquidators in the market willing to take over, the protocol will automatically transfer these high-risk positions to the HLP treasury, and it will accept them at the price provided by the oracle.

The consequence of this mechanism is that HLP has become a takeover entity that can be deterministically utilized and has no autonomous judgment capability. When attackers deploy their strategies, they can fully predict that once their “toxic position” triggers a liquidation, it will be taken over by someone—not a random and unpredictable market counterparty, but an automated system: HLP vault, which executes smart contract logic and acts 100% according to the rules.

3.2 Structural Defects of the Clearing Mechanism

The Jelly-My-Jelly incident exposed a fatal flaw in Hyperliquid’s funding structure and liquidation model within the HLP treasury under extreme market conditions.

When the attack occurred, there was no strict isolation mechanism between the “liquidation reserve pool” responsible for handling liquidated positions and other funding pools executing market making strategies. They share the same collateral. When the attacker’s short position worth 4 million dollars was liquidated due to a spike in the mark price, the position was fully transferred to the liquidation reserve pool. As the price of JELLY continued to rise, the losses on this position also continued to expand.

Attackers only need to trigger a liquidation (actively reducing margin) to seamlessly offload their losing positions to the buyers within the system - the HLP vault. Attackers are well aware: the protocol rules will force the HLP to execute the buy at the most unfavorable price, becoming their “unconditional buyer.”

Generally speaking, when the position incurs huge losses that threaten the stability of the platform system, the automatic reduction of positions ADL mechanism should be triggered to force the users on the opposite side of the profitable direction to reduce their positions in order to share the risk. However, this time, the ADL did not start.

The reason is: Although the liquidation reserve pool itself has already fallen into deep losses, because it can call upon the collateral assets from other strategy pools in the entire HLP treasury, the system determines that the “overall health” of the entire HLP treasury is still good, thus not triggering the risk control mechanism. This design of shared collateral mechanism inadvertently bypassed the ADL systemic risk defense line, causing losses that should have been borne by the market as a whole to ultimately concentrate and explode within the HLP treasury.

Part Four: Case Study - A Complete Review of the Jelly-My-Jelly Attack

On March 26, 2025, a meticulously planned attack took place on Hyperliquid, targeting Jelly-My-Jelly (JELLY). This attack cleverly combined the manipulation of liquidity, an in-depth understanding of oracle mechanisms, and the exploitation of architectural vulnerabilities in the platform, becoming a classic case of deconstructing modern DeFi attack patterns.

4.1 Stage One: Layout - A Short Trap Worth 4 Million USD

This attack was not a spur-of-the-moment decision. On-chain data shows that the attacker spent a full ten days prior to the incident testing strategies through a series of small-scale transactions, clearly preparing for the final action.

On March 26, as the spot price of JELLY fluctuated around $0.0095, the attacker began to implement the first phase. Multiple wallet addresses were involved, with address 0xde96 being the key executor. The attacker quietly built a short position worth approximately $4 million in JELLY’s perpetual contract market through self-trading (i.e., acting as both buyer and seller), supplemented by a total of $3 million in long positions through wash trading. The purpose of these wash trades was to maximize the open interest (OI) of the futures contracts while avoiding triggering abnormal market fluctuations, thereby laying the groundwork for subsequent price manipulation and liquidation.

Stage 4.2: Raid - The Blitz of the Spot Market

After the layout is completed, the attack enters the second phase: rapidly raising the spot price. JELLY is the target that manipulators dream of. Its total market capitalization is only about $15 million, and the order book on mainstream exchanges is extremely thin. According to Kaiko Research data, its 1% market depth is only $72,000, far lower than other similar tokens.

Attackers are leveraging this point to simultaneously launch buying offensives on multiple centralized and decentralized exchanges. Due to the lack of selling support, the JELLY spot price was rapidly increased in a short period of time. Starting from $0.008, the price skyrocketed by over 500% in less than an hour, reaching a peak of $0.0517. Meanwhile, trading volume also exploded. On just the Bybit exchange, the daily trading volume of JELLY exceeded $150 million, setting a new historical high.

4.3 Phase Three: Detonation - Oracle Contamination and Liquidation Waterfall

The sharp rise in spot prices quickly transmitted to Hyperliquid’s mark price system. Hyperliquid’s oracle mechanism employs a multi-source weighted median algorithm, integrating spot data from multiple exchanges such as Binance, OKX, and Bybit. As attackers acted in sync at these key sources, the final aggregated index price was effectively contaminated, leading to a synchronous rise in the mark price within the platform.

The jump in the mark price directly triggered the short positions previously deployed by the attacker. As the losses widened, the $4 million position was forced to liquidate. This moment was not a failure of the attack, but rather a core aspect of the attack’s design.

As the clearing counterparty of the platform, the HLP treasury unconditionally takes over according to the logic of the smart contract, while the clearing system fails to trigger the ADL (Automatic Deleveraging) mechanism to share risk, causing the entire high-risk position to be directly pressed onto the HLP. In other words, the attacker successfully “socialized” their liquidation losses, making HLP’s liquidity providers foot the bill for their manipulative actions.

Stage 4: Aftershock - Emergency Delisting and Market Reflection

As Hyperliquid fell into chaos, external markets also showed complex reactions. Within an hour of JELLY being manipulated to its peak, Binance and OKX launched JELLY’s perpetual contracts almost simultaneously. The market generally interpreted this action as a “profiting from Hyperliquid’s misfortune,” further intensifying JELLY’s market volatility and indirectly increasing the potential losses of the HLP treasury.

In the face of immense pressure from the market and the community, Hyperliquid validator nodes urgently voted to implement several countermeasures: to immediately and permanently delist the JELLY perpetual contract; and to fully compensate all affected users from non-attack addresses funded by the foundation.

According to Lookonchain data, at the height of the attack, the unrealized losses of the HLP treasury reached as high as 12 million dollars. Although Hyperliquid officially reported that the total losses were contained to 700,000 dollars within 24 hours, the impact of the entire incident on the platform’s structure and risk control system is undoubtedly profound.

JELLY event process

Conclusion - The “Mark Price Illusion” and Defensive Propositions of Perpetual Contracts

In the Jelly-My-Jelly incident, the attackers did not rely on complex contract vulnerabilities or cryptographic means; they simply uncovered and exploited the mathematical structural flaws in the mark price generation mechanism—small data sources, median aggregation, and fragmented liquidity—while leveraging the market’s liquidation mechanisms to operate. This type of attack does not require sophisticated hacking techniques, but rather a reasonable market operation and a deep understanding of the protocol logic.

The fundamental issue with mark price manipulation is:

• High relevance of oracle data: The seemingly “multi-source” price inputs actually come from a few exchanges with seriously overlapping liquidity. Once a few key exchanges are breached, the entire price index becomes virtually meaningless.
• Tolerance of the aggregation algorithm to outliers: the median is effective in large samples, but almost powerless in small samples; when the input source itself is “bought out,” even the most sophisticated algorithm cannot save the situation.
• The “blind trust” issue in the liquidation system: Almost all CEX and DeFi platforms default to believing that the mark price is fair, thus using it as a liquidation trigger. However, in reality, this trust is often built on a foundation of contaminated data.

Establishing true “manipulation resistance” between algorithms and games

The mark price should not be a value that is “mathematically correct but strategically fragile,” but rather a product of a mechanism that can maintain stability under real market pressures. The ideal of DeFi lies in building trust through code, but code is not perfect; it can also solidify biases, amplify pre-existing defects, and even become a weapon in the hands of attackers.

The Jelly-My-Jelly incident was not a coincidence, nor will it be the last. It serves as a warning: any “deterministic” clearing mechanism, without a deep understanding of the game structure, is a potential arbitrage entry point. For the mechanism to mature, it requires not only faster matching speeds and higher capital efficiency, but also a self-reflective capability at the mechanism design level to identify and block these systemic risks that are obscured by “mathematical aesthetics.”

May we always maintain a heart of reverence for the market.

Mathematics is simple, but people are complex.

Only historical games are repeated.

Knowing the fact, and knowing the reason behind it.