POPCAT malicious manipulation! Hyperliquid suffers $4.9 million as attacker self-destructs $3 million.

The well-known decentralized Perptual Futures exchange Hyperliquid has made headlines this week for suffering a “Liquidity Attack,” where a trader maliciously manipulated the price of the meme coin POPCAT, leading to a loss of 4.9 million USD for the exchange's active market-making pool Hyperliquidity Provider (HLP).

POPCAT Manipulation Attack Complete Timeline

(Source: ArbiScan)

According to platform screenshots and transaction records on the blockchain explorer ArbiScan, Hyperliquid suspended the deposit and withdrawal services for the Arbitrum cross-chain bridge around 12:22 AM on November 13, citing “system maintenance” as the reason. On-chain analyst MLMabc speculated in a post that the reason Hyperliquid suspended the deposit and withdrawal services might be due to a trader conducting large-scale POPCAT long positions on the platform, intending to artificially drive up the price.

About 13 hours ago, the attacker withdrew 3 million USDC from the CEX, distributing it to 19 wallets. Around 14:45 Central European Time, he began placing a long position of about 20 million POPCAT at around $0.21. After these long positions accumulated, the total position of the 19 wallets reached about 30 million dollars. When he removed the eight-digit buy wall, approximately 20 million to 30 million POPCAT long positions were instantly liquidated, forcing HLP to passively take over this position.

Analysts point out that this wave of operations led to a further drop in the price of POPCAT, causing HLP to suffer a loss of about 4.9 million USD, after which Hyperliquid manually closed the positions. MLMabc believes that the trader's actions were intended to “deliberately disrupt Hyperliquid”, stating, “No one could lose 3 million USD in just a few seconds due to carelessness.” This comment reveals the non-profit nature of the attack, with the attacker's initial capital completely exhausted during the process.

Four Key Stages of the POPCAT Attack

Funding Preparation: Withdraw 3 million USDC from CEX and distribute it to 19 wallets.

Establish Long Position: Open a leveraged long position of 26 million USD in POPCAT around $0.21

Manufacturing False Liquidity: Setting up a $20 million buy wall sends a strong market signal.

Trigger Chain Liquidation: Removing the buy wall leads to the disappearance of liquidity, and long positions are forced to close.

Precision Design and Execution of Buy Wall Traps

This buy wall worth 20 million USD created a temporary illusion of demand strength. The price reacted to this signal, rising as participants interpreted the buy wall as structural support. However, once the wall disappeared, this support vanished, and liquidity thinned out. With no bids to absorb market fluctuations, high-leverage positions began to be liquidated on a large scale. The Hyperliquidity Provider vault of the protocol is designed to absorb such events and has been comprehensively affected.

A buy wall is a common price manipulation tactic in cryptocurrency exchanges. An attacker places a large number of buy orders at a certain price level, creating the illusion that there is strong support at that price. Other traders, seeing this large buy order, may follow up with long positions, believing that the price will not drop below that level. However, when the attacker suddenly removes the buy wall, the price loses support and quickly drops, trapping the traders who followed up with long positions and even forcing them to liquidate.

In this POPCAT manipulation incident, the attacker’s precision lay in simultaneously establishing massive long positions and a buy wall. The buy wall not only deceived other traders but, more importantly, created a temporary price support for their long positions. When the attacker removed the buy wall, not only were the long positions of other traders liquidated, but even the attacker’s own $30 million long position was forcibly closed.

The key to this operation lies in the clearing mechanism. In Perptual Futures trading, when the position loss reaches a certain level, the exchange will automatically force a liquidation to protect the system. Since Hyperliquid adopts an Automated Market Maker (AMM) mechanism, when large long positions are forcibly liquidated, the platform's liquidity pool must take over these positions. The sharp drop in POPCAT prices caused the positions taken over by HLP to incur substantial losses immediately.

Non-profit attack reveals structural vulnerabilities in DeFi

The difference between this event and typical price manipulation is that the initiators did not profit. The initial capital of 3 million dollars was completely consumed during this process. This strongly indicates that the goal was not economic gain, but rather structural sabotage. By introducing false liquidity signals, removing them at precise points, and triggering liquidation thresholds, the attackers were able to manipulate the internal logic of the vault system.

This kind of “suicidal attack” is extremely rare in the history of cryptocurrency. The attacker is willing to lose 3 million dollars to cause a loss of 4.9 million dollars for Hyperliquid, which means it is not for profit, but possibly to damage competitors, test system vulnerabilities, or conduct “performance art.” The community's reactions range from technical analysis to irony. One observer described it as “the most expensive research ever,” while another observer believes the entire 3 million dollars burned is “performance art.”

The vault aims to balance the risks between positions and provide liquidity during volatile moments, but it has been drawn into a liquidation cascade that cannot be fully contained. This raises questions about how the automatic liquidity mechanism handles comprehensive volatility events, especially when faced with malicious yet structurally informed participants. In this instance, no weaknesses were found in the codebase. Instead, the vulnerability lies in the assumptions that support market structure and risk control.

Hyperliquid also encountered a similar incident in March this year, when a trader shorted the Solana meme coin JELLYJELLY, only to see the coin price surge by 429% in one hour, resulting in the platform bearing an unrealized loss of 12 million dollars. This POPCAT incident marks another significant loss for Hyperliquid due to a single coordination event, highlighting that even in the absence of external code exploitations, internal systems can be compromised through precise liquidity attacks.

Emergency Locking Mechanism and Platform Response

Shortly after the vault was affected, Hyperliquid's withdrawal bridge was temporarily disabled. A developer associated with the protocol stated that the platform had suspended operations using a feature called “voting emergency lock.” This mechanism allows contract administrators to halt certain operations during suspected manipulation events or infrastructure risks. The withdrawal function was re-enabled in about an hour. Hyperliquid did not release any official communication linking the freeze directly to POPCAT trading events.

However, this timing suggests taking precautions aimed at preventing additional capital outflow or manipulation during periods of platform instability. This emergency locking mechanism is quite controversial in Decentralization finance. On one hand, it provides necessary security guarantees, allowing the team to protect user funds during a crisis. On the other hand, it undermines the commitment to “Decentralization” as centralized administrators still have the power to freeze funds.

After the attack, Hyperliquid has not announced any changes to its treasury mechanism. However, the broader DeFi ecosystem may take note of this strategy and review how the treasury absorbs or reflects risks under coordinated synthetic pressure. This POPCAT incident has become a case study illustrating how to apply pressure from within a decentralized system using only publicly available tools and capital.