The Hidden Risks of DeFi: Unveiling the Tactics Behind Financial Manipulations

The rapidly evolving DeFi sector offers numerous undeniable advantages to users, regardless of their capital, age, or country of residence. All you need is a smartphone and internet access to tap into savings, loans, and other financial instruments, eliminating the need for KYC, bureaucratic hurdles, and intermediaries.

For those unbanked, this represents a chance to securely manage their money without unnecessary red tape; and in countries experiencing high inflation, stablecoins are emerging as an alternative to depreciating fiat currencies. Transactions are executed via smart contracts—swiftly, transparently, and without the burdens of waiting for callbacks.

Nevertheless, the DeFi landscape continues to resemble the «Wild West,» marked by a lack of regulatory clarity and risks of manipulation, which raises concerns among institutional investors and regulators. However, the industry is maturing quickly, with increasingly effective tools being developed to detect and prevent dishonest practices.

Uniswap has maintained its position as a leader in trading volume among DEXes for years, only occasionally losing this title to Raydium, built on the Solana blockchain.

As one of the first platforms to introduce the AMM mechanism to the market, Uniswap continues to be a pioneering force in DeFi innovation.

However, even in this domain, manipulations occur. One frequently employed tactic is known as sandwich attacks. Inspired by high-frequency trading strategies from TradFi, this method involves an attacker placing a buy order before the victim’s transaction and a sell order immediately after, all within a single block. This distorts prices temporarily, allowing the attacker to profit at the user’s expense.

According to Kaiko, in March, a market participant attempted to exchange ~220,800 USDC for USDT in a corresponding liquidity pool on Uniswap V3 within the Ethereum network. Shortly before the trade was executed, the attacker sold nearly $20 million worth of USDC for USDT, causing the price of the Circle stablecoin to plummet to $0.024 USDT due to reduced liquidity and increased slippage within the pool.

As a result, the exchange was completed at an exceptionally unfavorable rate: the user received only about 5,300 USDT instead of the expected 220,800 USDT, incurring a loss of approximately $215,500.

Observations indicated that this incident coincided with a decrease in USDC liquidity on Uniswap V3; more funds were withdrawn from the pool than added on the day of the attack, enabling the manipulator to execute the scheme effectively and significantly impact the price.

Similar, if not more sophisticated, attacks periodically occur on other non-custodial exchanges, including the hype-driven platform Hyperliquid.

Hyperliquid, one of the largest platforms for decentralized perpetual futures, was targeted in a coordinated attack at the end of last month. The incident, along with the project’s management response, stirred considerable discussion and raised doubts about the principles of decentralization within the crypto community.

On March 26, 2025, an unknown trader targeted the Hyperliquid Provider Vault (HLP), simultaneously opening significant positions in contracts based on the low-liquidity crypto asset Jelly-My-Jelly (JELLYJELLY): a short position valued at ~$4 million and two long positions totaling ~$3 million.

JELLYJELLY’s market capitalization is modest at $11.5 million, with the coin listed on both DEXs and centralized exchanges (CEXs).

During the attack, the trader executed two coordinated operations by opening both a short and a long position on perpetual contracts for the token, resulting in the price of Jelly-My-Jelly skyrocketing by over 500%—from $0.00806 to $0.0517—within an hour.

According to Kaiko researchers, this attack exposed vulnerabilities in Hyperliquid’s liquidation mechanism.

They noted that the situation was exacerbated by actions taken by Binance and OKX, which listed futures for Jelly-My-Jelly on the same day that trading volume on Bybit reached a record $150 million.

Kaiko also pointed out that the activity surrounding JELLYJELLY was marked by sharp price fluctuations and liquidations on both sides of the market.

Following the attack, Hyperliquid halted trading on JELLYJELLY contracts at the validators’ directive due to «suspicious market activity.» The whale was able to withdraw about $6.2 million.

The crypto community had previously highlighted oddities within Hyperliquid. Weeks prior to the described attack, EmberCN analysts noted **anomalous behavior among several large traders**, which may have been a test of the liquidation mechanism’s resilience.

Experts at 10x Research pointed out that Hyperliquid’s high level of transparency has opened the door to a sort of «popular hunting» for leveraged whales, aimed at forcibly liquidating their positions. They believe that the emergence of this trend could significantly shift the balance of power within the market.

An example is the incident on March 16, when a user under the pseudonym CBB suggested to the community that they liquidate a large trader’s position—who had opened a short on 4,442 BTC with a 40x leverage. As a result of coordinated actions, the price of Bitcoin rose by 2.5%, forcing the whale to increase their position to 6,210 BTC (~$524 million) to avoid liquidation.

Analysts have drawn parallels with the events surrounding GameStop stock, where retail investors united against hedge funds. Such «popular hunting» could become a new trend in crypto trading, allowing smaller players to influence large investors’ actions.

A year ago, a group of MEV bots that profited from backrunning lost over $25 million due to an attack from a fraudulent validator.

According to CertiK, the attacker altered the recipient addresses in the transaction chain, diverting profits into their wallets as Wrapped BTC (WBTC), Ethereum (WETH), and stablecoins USDC, USDT, and DAI.

Shortly after the incident, Tether blacklisted one of the related addresses, which contained assets worth approximately $3 million.

This decision sparked a wave of criticism on social media. Users questioned the decentralization of the largest stablecoin in the market.

A Cryptonary media representative raised concerns about how such wallets are blocked.

Last September, an «unsuccessful» MEV bot took an instant loan of $11.7 million to perform a sandwich attack but earned only $20 in profit.

The target was a user attempting to trade $5,000 worth of Shuffle (SHFL) tokens for WETH, with a slippage of about 2%.

The bot conducted 14 transactions, utilizing DeFi protocols Balancer, Aave, and Uniswap. After accounting for gas fees, the total profit was just over $20.

Commenters wryly noted that in the current market, even an MEV bot fails to earn more than $20.

Michael Nadjo, founder of The DeFi Report, provided several recommendations on how to avoid falling into an MEV bot’s trap when interacting with DEXes:

Many projects aim to minimize the impact of MEV on the Ethereum ecosystem. One of the most notable initiatives is **Flashbots**, a research organization developing tools to mitigate the negative effects of Maximal Extractable Value and reduce risks for the network.

Certain crypto wallets are integrating built-in features to protect users from MEV attacks. For example, **MetaMask** has introduced a Smart Transactions option that utilizes a «virtual mempool» for submitting operations before they reach the blockchain, helping to prevent front-running and other MEV attacks.

This solution is designed to guard against bot strategies and provides instant transaction modeling, allowing users to evaluate outcomes in advance and reduce gas costs.

The feature was developed with input from the Special Mechanisms Group at ConsenSys.

Smart Transactions do not activate automatically—users have the choice to enable or disable it at any time and can revert to regular transactions through the app. MetaMask does not charge fees for using this option.

In 2022, the **1inch Network** launched RabbitHole—a tool to protect MetaMask users from «sandwich attacks.»

This feature acts as a proxy between the wallet and Ethereum validators, allowing swap transactions to bypass the mempool. To implement this solution, 1inch integrated products from Flashbots, BloXroute, Eden, and Manifold.

Despite adverse market conditions, the DeFi sector continues to gain popularity, offering innovative financial tools without intermediaries. However, it remains relatively young and vulnerable to attacks and manipulations.

Recent incidents involving Uniswap and Hyperliquid have vividly illustrated vulnerabilities associated with low liquidity tokens and weaknesses in liquidation mechanisms. Analyzing these attacks revealed that manipulations are often directly or indirectly supported by major centralized exchanges, further distorting price formation and exacerbating risks for traders.

In light of this, the community needs to actively develop new tools aimed at enhancing trading transparency and minimizing manipulation opportunities. Only then can the ecosystem progress to the next stage of maturity and strengthen trust among institutional players and retail users alike.