Trader Burns $3M Exploit to Drain $5M from Hyperliquid Vault
A recent concerted on Hyperliquid involved an anonymous trader intentionally losing $3 million in capital to exploit the platform’s POPCAT market. This resulted in over $5 million being lost from the Hyperliquidity Provider (HLP) vault.
This event highlights the fragilenesses of automated liquidity provider vaults and on-chain derivatives platforms.
The Attack Sequence and Changing the Market
The attack began when 3 million USDC were from the and transferred to 19 new wallets. With these funds, they opened leveraged long positions against HYPE, Hyperliquid’s POPCAT-denominated perpetual contract, worth more than $26 million.Â
The trader then set up a large $20 million purchase wall near the $0.21 price to make people think the market was more stable, which had a short-term effect on prices.
However, when the purchase wall was removed and liquidity support was withdrawn, the price plummeted dramatically, triggering a chain reaction of liquidations for many traders who were heavily leveraged. The HLP vault absorbed the losses from this liquidation cascade, resulting in a $4.9 million loss for the platform.
What The Exploit Was Meant To Do and What It Did
The attacker lost all of their $3 million, which is distinct from most market manipulations that aim to generate profits directly. This suggests that the attacker’s goal was to do structural damage rather than make money.
The exploit was designed to destabilise the Hyperliquid protocol’s liquidity architecture and subject its automated liquidity provider systems to significant stress.
Community members who the attack had differing opinions about what it was. Some thought it was a planned hedge, while others considered it a costly market experiment or even “performance art.” The episode illustrates the dangers of financial markets lacking robust liquidity buffers. In circles, it has been labelled an example of “peak degen warfare.”
Response From The Platform and A Pause In Withdrawals
later than the hack, Hyperliquid temporarily halted withdrawals by activating the “vote emergency lock” option as a securety measure. The contract pause didn’t last long; withdrawals begined up again about an hour later.Â
There were no official pronouncements that directly linked the withdrawal freeze to the event; however, the timing suggests that it was tied to measures aimed at better managing risk.
This event serves as a stark reminder of the challenges faced by decentralized derivatives platforms in maintaining a fair and liquid market when under attack. It also demonstrates how malicious actors may exploit market mechanisms to inflict significant financial harm, even if it means incurring their own losses.
