Hyperliquid suspended deposits and withdrawals on November 12, 2025, as the decentralized perpetuals exchange confronts indicators of another sophisticated attack targeting its $534 million Hyperliquidity Provider vault. The maintenance pause mirrors defensive measures taken during previous exploitation attempts, including the March 2025 JELLYJELLY incident that threatened $230 million in user funds. With the platform now commanding 61% of decentralized exchange perpetuals volume and processing $5.8 billion in daily perpetual trading volume, any successful breach could destabilize the broader DeFi derivatives ecosystem. This marks the platform's third significant security challenge in 2025, following the $13.5 million JELLY manipulation in March and a $4 million loss transferred to HLP in September through liquidation inheritance exploitation.
How Attackers Exploit Liquidation Inheritance
The attack mechanism revolves around Hyperliquid's liquidation inheritance policy, where the HLP vault automatically absorbs underwater positions that cannot be liquidated in time. Attackers open massive short positions on low-liquidity tokens with thin order books and limited spot market depth, typically selecting assets with under $100,000 daily volume across the handful of exchanges Hyperliquid's oracle monitors. Once the position is established, the attacker deliberately withdraws margin collateral, triggering automatic liquidation while the HLP vault inherits this toxic short position.
The critical exploitation phase involves coordinated spot market manipulation across every exchange feeding Hyperliquid's price oracle. In the March JELLY attack, perpetrators simultaneously pumped the token's price by 400% within an hour across multiple venues, forcing the oracle to report the artificially inflated valuation. Since HLP inherited a massive short position at the original lower price, the manipulated spike created unrealized losses exceeding $12 million. The attacker simultaneously held long positions on external exchanges, profiting from the pump while HLP absorbed catastrophic losses. When open interest exceeds critical thresholds, Hyperliquid's safety mechanisms block new positions, preventing liquidators from closing the underwater short and amplifying losses as the manipulated price continues climbing.
The Numbers Behind Repeated Attacks
Hyperliquid's current exposure makes it an increasingly attractive target for sophisticated exploiters. The platform's total value locked reached $534 million as of November 2025, while the HLP vault specifically maintains approximately $372 million in assets according to recent metrics. Despite generating $68 million in cumulative profits through November 2025, the vault has experienced significant drawdowns from exploitation attempts. The March JELLY incident temporarily created $13.5 million in unrealized losses before validator intervention, while September's ETH liquidation manipulation transferred $4 million in losses from a single trader to HLP.
The platform's explosive growth compounds these vulnerabilities. Hyperliquid processed $284 billion in perpetual contract volume during October 2025, representing 61% of all DEX perpetuals trading. Daily volumes consistently exceed $5.8 billion, with the platform generating $83.6 million in fees over the past 30 days. This liquidity concentration creates enormous incentive for attackers, as successful exploits can extract millions while the platform's decentralized structure complicates rapid intervention. The HYPE token trades at $44.01 with a $14.6 billion market capitalization, though an impending $10.8 billion token unlock scheduled for November 2025 creates additional economic pressure.
Previous attacks demonstrated precise engineering. The March JELLY exploiter deposited $7.17 million across three accounts, built a 430 million token short position worth $4.08 million, then systematically manipulated spot prices from $0.0095 to $0.0627. Despite validator intervention freezing the attack within two hours, the perpetrator withdrew $6.26 million before lockdown, netting substantial profit. September's incident saw trader 0xf3f4 deposit $15.23 million to establish a $306 million ETH position, then withdraw $17.09 million to force liquidation at inflated prices, securing $1.86 million profit while HLP absorbed $4 million in losses.
Why Hyperliquid Remains Vulnerable
The current November 12 maintenance pause suggests attackers continue probing Hyperliquid's defenses despite protocol adjustments. Following March's JELLY disaster, validators reduced maximum leverage to 40x for Bitcoin and 25x for Ethereum, down from previous 50x limits. However, these changes fail to address the core oracle manipulation vulnerability. Hyperliquid's price feeds rely on weighted averages from publicly disclosed spot exchanges, allowing attackers to calculate precise capital requirements for effective manipulation.
The platform faces competing pressures around decentralization. During the JELLY attack, validators controversially invoked oracle override mechanisms to delist the token and settle positions at $0.0095 rather than the manipulated $0.50 price, ultimately securing HLP a $700,000 profit instead of catastrophic losses. While this intervention prevented liquidation cascade, it sparked intense debate about Hyperliquid's commitment to permissionless operation. Critics note that manual validator intervention and selective fund freezing contradict decentralized exchange principles, yet without such mechanisms, the entire $534 million vault could face liquidation during coordinated attacks.
Regulatory scrutiny intensifies as institutional players including VanEck and State Street explore Hyperliquid exposure following the platform's USDH stablecoin proposal. The September incident drew additional concerns after blockchain investigators linked certain high-leverage Hyperliquid trades to phishing operations and suspected North Korean cybercriminal activity, raising money laundering questions alongside technical vulnerabilities.
What Traders Should Monitor
Hyperliquid must resolve the current maintenance pause while addressing fundamental oracle architecture weaknesses. The platform's dual-block HyperEVM infrastructure now hosts over 180 projects with $4.1 billion in ecosystem TVL, up 19% month-over-month through November 2025. Success depends on implementing manipulation-resistant oracle designs, potentially incorporating time-weighted average prices, expanded exchange coverage for price feeds, or circuit breakers that pause trading when detecting abnormal cross-exchange price divergence.
Key metrics to track include HLP vault TVL stability, which peaked at $512 million earlier in 2025 before settling at current $372 million levels, and weekly profit-loss swings that indicate exploitation attempts. The platform's 518,000 active addresses and $2.1 trillion cumulative perpetual volume demonstrate strong user adoption, though retention during security crises remains uncertain. The November HYPE token unlock introducing $10.8 billion in new supply could trigger selling pressure, potentially reducing the economic incentive for vault participation.
Frequently Asked Questions
Q: Is this attack confirmed or just a precautionary maintenance pause?
A: Hyperliquid has not officially disclosed specific attack details as of November 12, 2025. However, the sudden deposits and withdrawals freeze follows the exact pattern from March 2025 when validators detected the JELLYJELLY manipulation attempt. The platform's history of three significant incidents in 2025 suggests defensive action rather than routine maintenance, particularly given the lack of advance notice to users.
A: Hyperliquid has not officially disclosed specific attack details as of November 12, 2025. However, the sudden deposits and withdrawals freeze follows the exact pattern from March 2025 when validators detected the JELLYJELLY manipulation attempt. The platform's history of three significant incidents in 2025 suggests defensive action rather than routine maintenance, particularly given the lack of advance notice to users.
Q: How does this differ from the March JELLY attack that cost $13.5 million?
A: While full details remain undisclosed, the mechanism likely mirrors previous exploits targeting liquidation inheritance and oracle manipulation. The key difference is Hyperliquid now processes far higher volumes at $5.8 billion daily versus lower levels in March, potentially enabling larger-scale attacks. The platform also reduced leverage limits to 40x BTC and 25x ETH post-JELLY, which may limit but not eliminate exploitation vectors through low-liquidity token manipulation.
A: While full details remain undisclosed, the mechanism likely mirrors previous exploits targeting liquidation inheritance and oracle manipulation. The key difference is Hyperliquid now processes far higher volumes at $5.8 billion daily versus lower levels in March, potentially enabling larger-scale attacks. The platform also reduced leverage limits to 40x BTC and 25x ETH post-JELLY, which may limit but not eliminate exploitation vectors through low-liquidity token manipulation.
Q: Are user funds deposited outside the HLP vault at risk?
A: No confirmed breaches of user spot or margin account funds have occurred across any 2025 incidents. The attacks specifically target HLP's liquidation inheritance mechanism, not individual wallet security. However, the October 2025 incident where a user lost $21 million after private key compromise demonstrates separate wallet security risks unrelated to protocol vulnerabilities. Users maintaining proper key security should not face direct exposure from HLP exploitation attempts.
A: No confirmed breaches of user spot or margin account funds have occurred across any 2025 incidents. The attacks specifically target HLP's liquidation inheritance mechanism, not individual wallet security. However, the October 2025 incident where a user lost $21 million after private key compromise demonstrates separate wallet security risks unrelated to protocol vulnerabilities. Users maintaining proper key security should not face direct exposure from HLP exploitation attempts.
Q: What happens to my HLP vault deposits if validators intervene again?
A: Historical precedent from March 2025 shows validators can override oracles and settle manipulated positions at predetermined prices, ultimately securing vault profitability. HLP maintained $68 million cumulative profits through November 2025 despite multiple attacks, generating approximately 11% annualized returns for depositors. However, intervention decisions remain at validator discretion without guaranteed timelines, and the September incident demonstrated HLP can absorb multi-million dollar losses that reduce overall returns.
A: Historical precedent from March 2025 shows validators can override oracles and settle manipulated positions at predetermined prices, ultimately securing vault profitability. HLP maintained $68 million cumulative profits through November 2025 despite multiple attacks, generating approximately 11% annualized returns for depositors. However, intervention decisions remain at validator discretion without guaranteed timelines, and the September incident demonstrated HLP can absorb multi-million dollar losses that reduce overall returns.
Q: Should traders avoid Hyperliquid until vulnerabilities are fixed?
A: Risk tolerance determines appropriate action. The platform dominates 61% of DEX perpetuals market share and maintains strong security for individual trading accounts separate from HLP vault exposure. Traders not depositing into HLP face minimal direct risk from these specific attacks, though platform-wide instability during crises could impact liquidity and execution. HLP depositors should weigh the 11% annualized returns against demonstrated vulnerability to sophisticated exploitation attempts that validators may not always contain successfully.
A: Risk tolerance determines appropriate action. The platform dominates 61% of DEX perpetuals market share and maintains strong security for individual trading accounts separate from HLP vault exposure. Traders not depositing into HLP face minimal direct risk from these specific attacks, though platform-wide instability during crises could impact liquidity and execution. HLP depositors should weigh the 11% annualized returns against demonstrated vulnerability to sophisticated exploitation attempts that validators may not always contain successfully.