JELLY Manipulation Postmortem: What Really Happened

May 11, 2026

The hardest part of reviewing a major market incident is not repeating the visible timeline. It is understanding the mechanism underneath: why existing risk controls failed, how each step played into the attacker’s plan, and what the incident means for traders using on-chain perpetuals. Source: Hyperliquid docs.

This post uses the March 2025 Hyperliquid JELLYJELLY（JELLY）manipulation incident as a case study. The goal is to explain the mechanics clearly so perp traders can understand the root logic, not just remember that “something happened.”

This analysis is based on publicly available on-chain data and Hyperliquid’s official communications. It does not rely on unverifiable figures or claims about participant identities.

Key comparison table

Dimension	Common Perception Before the Event	Updated Perception After the Event
HLP Risk	Widely regarded as a stable yield tool	Confirmed the possibility of significant losses under extreme scenarios
Small-Cap Contracts	Highly volatile but tradable	Manipulation risk exists when the spot/contract ratio is imbalanced
Validator Power	A decentralized role operating in the background	Has the power to intervene directly in emergencies
Cross-Market Risk	Mainly focused on the contract itself	Spot manipulation can systematically affect contract liquidations

Background: Why JELLY Became a Target

To understand the incident, you first need to understand Hyperliquid’s market structure. On Hyperliquid, the liquidation system is closely tied to HLP, the Hyperliquid Provider vault. When a position is forcibly liquidated and the market does not have enough counterparties to absorb it, the risk can be passively taken on by HLP.

This design can work well for major assets with deep spot liquidity. Liquidated positions can usually find buyers or sellers quickly. But for smaller tokens with thin spot markets, the risk profile is very different.

JELLY was a typical example: spot liquidity was shallow, yet a perpetual market existed on Hyperliquid. The imbalance between perp open interest and spot market depth created the conditions for manipulation.

Hyperliquid’s own documentation describes the basic exposure model for HLP: it acts as a liquidity backstop for liquidations, and in extreme cases it may be forced into passive positions.

Attack Path Breakdown

Step 1: Build Positions Across Both Sides of the Market

The manipulation was not simply a one-way long or short trade. It relied on the relationship between the on-chain spot market and Hyperliquid’s perpetual market.

The attacker built positions in the perp market while also positioning in the spot market. This set up the next step: moving the spot price in a way that would affect the perp market’s mark price and liquidation conditions.

The key idea was cross-market manipulation. Perpetual prices ultimately reference spot through mechanisms such as funding and mark pricing. If spot can be moved, the liquidation dynamics in the perp market can be influenced indirectly.

Step 2: Push the Spot Price Higher to Trigger Liquidations

Once the positioning was in place, the attacker began pushing up the JELLY spot price. Because JELLY spot liquidity was extremely thin, the cost required to move the market was relatively low, while the price impact could be large.

As the spot price rose quickly, Hyperliquid’s mark price for the JELLY perpetual also moved higher. Short positions then began to hit liquidation thresholds.

Step 3: Liquidated Positions Flow Into HLP

When the short positions were liquidated, there were not enough market participants willing or able to take the other side. Under the protocol’s rules, those positions were transferred into the HLP vault.

At that point, HLP became passively exposed to a large JELLY long position while the spot price was still being pushed upward. The vault’s mark-to-market losses continued to expand.

This was the critical part of the incident. The attacker exploited the fact that HLP served as the final liquidation counterparty, shifting risk from the market into the vault.

Step 4: Emergency Validator Intervention

As HLP’s paper losses grew, Hyperliquid’s validator committee held an emergency vote. The decision was to force-settle all JELLY perpetual contracts at a specific price and delist the market.

According to Hyperliquid’s official announcement, the settlement price resulted in the HLP vault recording a surplus. However, the response triggered a broader community debate: in a decentralized protocol, when is validator intervention acceptable, and does forced settlement fit the trust-minimized ideal?

Three Key Weaknesses Exposed by the Incident

1. Listing Standards Did Not Match Liquidity Risk

At the time, Hyperliquid allowed a low-liquidity asset to list as a perpetual market without sufficiently restrictive margin parameters. That created an opening for manipulation.

The more open interest a thin spot asset has, the more attractive the setup becomes: shallow spot liquidity lowers the cost of moving price, while large perp exposure increases the pressure on the liquidation system.

Compared with listing frameworks used by platforms such as dYdX, more mature perp DEX designs typically apply stricter initial margin requirements and tighter position limits to assets with lower market cap and weaker liquidity.

2. HLP Lacked an Automatic Circuit Breaker for Single-Asset Exposure

During the JELLY incident, HLP did not appear to have an automatic risk cap that would halt or limit exposure to a single asset once a threshold was breached. As a result, the vault accumulated significant risk in a short period and ultimately required manual validator intervention.

GMX’s liquidation documentation illustrates a different approach to risk isolation: liquidity provider exposure can be separated by asset pools, reducing the chance that manipulation in one asset affects the entire vault.

3. The Boundary for Governance Intervention Was Unclear

The validator vote limited losses quickly, but it also raised difficult questions.

Under what conditions should validators intervene? How should a forced settlement price be determined? Which rules should be known in advance at the protocol level?

Because those boundaries were not clearly defined beforehand, the intervention introduced concerns around discretionary decision-making. Even if the outcome reduced damage, the precedent matters for protocol credibility.

Lessons for Traders

The JELLY incident is a reminder that on-chain derivatives risk is not limited to price direction. Traders also need to consider market structure, liquidity depth, liquidation design, vault exposure, and governance intervention risk.

Practical warning signs include:

A token’s perp open interest is large relative to its spot liquidity.
Spot trading volume is thin and concentrated.
A few addresses appear to control unusually large directional exposure.
The perp market depends heavily on a backstop vault during liquidations.
Risk parameters look too loose for the asset’s actual liquidity profile.

None of these signals can predict an incident with certainty. But they can help traders avoid markets where the risk-reward profile is structurally fragile.

OneKey Perps: Keep a Safety Margin in Uncertain Markets

Once you understand the JELLY mechanism, one basic risk-management rule becomes obvious: do not keep more assets in a trading environment than you need.

OneKey Perps, used together with a OneKey hardware wallet, gives traders a practical workflow for interacting with on-chain perp venues such as Hyperliquid while keeping core funds under self-custody. Your main assets can remain protected by offline private keys, while trading actions can still be executed through a smoother on-chain interface.

For transfers and other sensitive actions, hardware confirmation adds an important layer of protection against remote compromise and malicious signing attempts. It does not remove platform-level market risk, but it helps separate your long-term custody from your active trading setup.

To explore the OneKey app, hardware wallets, and OneKey Perps workflow, visit onekey.so/download.

FAQ

Q1: How was the JELLY incident different from a typical flash-loan attack?

A flash-loan attack usually exploits atomic execution inside a single transaction and often completes within one block. The JELLY incident was cross-market price manipulation. It used the relationship between the spot price and the perpetual mark price, took place over a longer window, and involved more complex market structure dynamics.

Q2: Did Hyperliquid update HLP risk parameters after the incident?

Hyperliquid stated that it would review the relevant mechanisms after the event. Any specific parameter changes should be checked against the latest Hyperliquid official documentation. This article does not speculate on updates that are not publicly verifiable.

Q3: Can ordinary users predict similar incidents?

Not perfectly. But traders can monitor warning signs, such as the ratio between perp open interest and average spot trading volume, or whether large one-sided positions appear concentrated among a small number of addresses.

Q4: How is HLP different from a traditional market maker?

A traditional market maker can choose whether to quote, reduce size, widen spreads, or refuse certain risk. HLP, as a protocol-level liquidity backstop, can be forced to absorb positions once liquidation rules are triggered. That passive exposure is the core difference and a key source of HLP risk.

Q5: Can using OneKey prevent losses from a JELLY-style platform incident?

No wallet can prevent losses caused by platform-level market structure risk, liquidation design, or forced settlement. OneKey helps with custody risk: it can keep your main assets separated from hot-wallet environments and reduce the chance that a compromise of your trading setup affects your cold-storage funds.

Conclusion: Postmortems Are About Avoiding Repeat Mistakes

The JELLY incident matters because it exposed a hidden risk path in on-chain derivatives design. It showed how thin spot liquidity, large perp exposure, liquidation backstops, and unclear intervention rules can combine into a serious market event.

For traders who take risk management seriously, the lesson is not to avoid all on-chain perps. It is to trade with better structure: understand the venue, size positions carefully, watch liquidity conditions, and avoid keeping unnecessary funds in active trading environments.

Keeping core assets in a OneKey hardware wallet while using OneKey Perps for trading is one practical way to separate custody risk from trading activity. It gives you access to on-chain market efficiency while maintaining an independent security layer outside the platform itself.

Risk warning: This article is for informational purposes only and does not constitute investment, financial, or legal advice. Perpetual futures trading is high risk and may result in the loss of all principal. This postmortem is based on public information and should not be interpreted as an endorsement or rejection of any platform’s safety. Always assess risks independently before trading.