In November 2025, Hyperliquid was the victim of a price manipulation attack, the second attack causing over $1M in damage that it suffered this year. The attackers caused an estimated $4.9 million in losses for the platform using the POPCAT token.
Inside the Attack
The Hyperliquid attack began with the attacker distributing an estimated $3 million in USDC from the OKX Exchange across 19 wallets. These wallets created long positions in POPCAT with a combined value of over $20 million.
After creating these long positions, the attacker created a substantial buy order for approximately $20 million at $0.21. This had the effect of drawing in additional liquidity and increasing the price of the token.
After the price increased sufficiently, the attacker withdrew their buy orders, causing a substantial crash in POPCAT prices. As a result, many leveraged positions were liquidated, including the attacker’s own $3 million position. Once liquidity was exhausted, the Hyperliquid community-owned liquidity vault was forced to absorb approximately $4.9 million in bad debt.
When the incident was discovered, Hyperliquid halted withdrawals on the platform as it performed incident management. Additionally, Hyperliquid’s Arbitrum bridge was temporarily halted to stop additional outflows and increase the stability of the platform.
Lessons Learned from the Attack
The Hyperliquid incident is an example of how an attacker can use price manipulation to cause damage to a protocol as long as they’re willing to pay the price. In this case, the attacker absorbed $3 million in losses to cause nearly $5 million in losses for the Hyperliquid platform.
This attack was possible due to the amount of leverage permitted for the POPCAT token and automatic absorption of losses due to liquidated positions. In this case, users were permitted to create positions with over 10x leverage, resulting in significant losses if someone decided to manipulate prices. With POPCAT’s thin depth on Hyperliquid, an attacker was able to do so and force the community-owned pool to absorb the losses.
This attack exploited the design of Hyperliquid’s pools rather than any specific vulnerability in the protocol. Addressing these types of risks requires careful review and threat modeling when designing and configuring protocols, alongside traditional smart contract code reviews.
Halborn offers advisory services that help projects identify and manage risks throughout the lifecycle of a DeFi project. To learn more about working with Halborn to enhance the security of your project, get in touch.