Revealing the Dark Side of DeFi: Navigating Manipulations in the Financial LEGO System

The growing sector of DeFi presents countless advantages for users, regardless of their financial status, age, or country of residence. As long as you have a smartphone and internet access, you can tap into savings, loans, and various financial tools without the need for KYC, paperwork, or intermediaries.

For those outside the traditional banking system, DeFi provides a dependable way to manage their money without bureaucratic hurdles. In countries experiencing high inflation, stablecoins emerge as an alternative to depreciating fiat currencies. All operations are conducted via smart contracts, ensuring speed, transparency, and a lack of unnecessary delays.

Nonetheless, the DeFi landscape still resembles the «Wild West,» with unclear regulations and manipulation risks that concern institutional investors and regulators. However, the industry is maturing quickly, with enhanced tools being developed to track and combat dishonest schemes.

Uniswap has maintained its position as the leader in trading volume among DEX platforms for many years, occasionally ceding ground to Raydium, a platform built on Solana.

As one of the first platforms to introduce the AMM mechanism, Uniswap remains at the forefront of innovation in the DeFi space.

Nevertheless, manipulations still occur within the platform. A common tactic involves so-called sandwich attacks, inspired by high-frequency trading strategies from traditional finance (TradFi), where an attacker places a buy order before the victim’s transaction and a sell order immediately after, all within the same block. This leads to a temporary price distortion, allowing the attacker to profit at the user’s expense.

According to research from Kaiko, in March, a market participant attempted to exchange approximately 220,800 USDC for USDT in a corresponding liquidity pool on Uniswap V3 within the Ethereum network. Shortly before the trade execution, the attacker sold nearly $20 million in USDC for USDT. This caused the price of the stablecoin from Circle to plummet to 0.024 USDT due to reduced liquidity and increased slippage in the pool.

As a result, the exchange transaction occurred at an extremely unfavorable rate, with the user receiving only about 5,300 USDT instead of the expected 220,800 USDT, incurring a loss of around 215,500 USDT.

Kaiko noted that the incident coincided with a decline in USDC liquidity on Uniswap V3. On the day of the attack, more funds were withdrawn from the pool than were added, facilitating the manipulator’s goals and significantly affecting the price.

Similar, perhaps even more intricate, attacks occasionally happen on other non-custodial exchanges, including the popular Hyperliquid platform.

Hyperliquid, one of the largest decentralized perpetual futures platforms, was subjected to a coordinated attack at the end of last month. The incident and the response from the project management sparked considerable discussion and raised doubts about the principles of decentralization within the crypto community.

On March 26, 2025, an unidentified trader targeted the Hyperliquidity Provider Vault (HLP), opening large positions in contracts based on the illiquid crypto asset Jelly-My-Jelly (JELLYJELLY): a short position of approximately $4 million and two long positions totaling around $3 million.

Despite Jelly-My-Jelly’s modest market capitalization of $11.5 million, the token is available on both DEX and centralized exchanges (CEX).

During the attack, the trader executed two coordinated operations, simultaneously opening a short and a long position on perpetual contracts for the token, causing its price to soar over 500% — from $0.00806 to $0.0517 within just one hour.

Researchers at Kaiko stated that the aforementioned manipulation attack exposed vulnerabilities in Hyperliquid’s liquidation mechanism.

They also noted that the situation was exacerbated by major centralized exchanges like Binance and OKX, which added futures for Jelly-My-Jelly on the same day that trading volume on Bybit reached a record high of $150 million.

Kaiko highlighted that the activity surrounding JELLYJELLY was accompanied by sharp price fluctuations and liquidations occurring on both sides of the market.

Following the incident, Hyperliquid suspended trading of the JELLYJELLY contracts due to «suspicious market activity.» The whale managed to withdraw about $6.2 million.

The crypto community had noted unusual occurrences on Hyperliquid before. A few weeks prior to the attack, EmberCN analysts had recorded abnormal behavior from several large traders, suggesting it might have been a test of the liquidation mechanism’s resilience.

Experts from 10x Research pointed out that Hyperliquid’s high level of transparency allows for a form of «retail hunting» of leveraged whales, aiming to forcefully liquidate their positions. They believe the emergence of this trend could significantly alter the power dynamics within the market.

An illustrative case occurred on March 16 when a user named CBB suggested to the community to liquidate a large trader’s position, who had opened a short on 4,442 BTC with 40x leverage. As a result of coordinated actions, the price of Bitcoin increased by 2.5%, forcing the whale to expand their position to 6,210 BTC (approximately $524 million) to avoid liquidation.

Analysts see parallels with events surrounding GameStop stock, where retail investors united against hedge funds. This type of «retail hunting» could emerge as a new trend in crypto trading, where the transparency of platforms enables smaller players to influence the actions of larger investors.

A year ago, a group of MEV bots that extracted profits from backrunning suffered losses exceeding $25 million due to an attack from a fraudulent validator.

According to CertiK, the attacker swapped the recipient addresses within transaction chains, redirecting profits to their wallets instead of the bots.

Shortly after the incident, Tether blacklisted one of the related addresses, which held approximately $3 million in assets.

This decision drew criticism on social media, with users questioning the decentralization of the largest stablecoin on the market.

A representative from the media outlet Cryptonary raised questions regarding the process of blocking such wallets.

In September last year, an unfortunate MEV bot took an instant loan of $11.7 million to execute a sandwich attack but earned only $20, targeting a user exchanging tokens Shuffle (SHFL) worth $5,000 for WETH, facing about 2% slippage.

The bot conducted 14 transactions involving DeFi protocols like Balancer, Aave, and Uniswap, but its total profit, after gas fees, amounted to just over $20.

Commenters ironically noted that even MEV bots are struggling to earn more than $20 in the current market.

Michael Nado, founder of The DeFi Report, provided several tips on avoiding MEV bot traps when interacting with DEX.

Many projects aim to minimize the impact of MEV on the Ethereum ecosystem. One of the most well-known initiatives is Flashbots, a research organization developing tools to mitigate the adverse effects of Maximal Extractable Value (MEV) and reduce risks for the network.

Some crypto wallets have begun integrating built-in protections against MEV attacks. For instance, MetaMask introduced the Smart Transactions feature, which enables the use of a «virtual mempool» to place operations before they enter the blockchain, thereby helping prevent front-running and other MEV attacks.

This solution is designed to protect against bot strategies and provides instant transaction modeling, allowing users to evaluate potential outcomes and minimize gas expenses.

The feature was developed with input from specialists from ConsenSys’s Special Mechanisms Group.

Smart Transactions are not enabled by default; users can choose whether to activate this option. They may switch back to regular transactions at any time. There is no fee for using this option on MetaMask.

In 2022, the 1inch Network team presented RabbitHole, a tool to protect MetaMask users from sandwich attacks, functioning as a proxy between wallets and Ethereum validators to facilitate swaps while bypassing the mempool. To implement this solution, 1inch integrated products from Flashbots, BloXroute, Eden, and Manifold.

Despite challenging market conditions, the DeFi sector continues to gain popularity by offering innovative financial instruments without intermediaries. Nevertheless, despite its advantages, this burgeoning sector remains relatively young and small, vulnerable to attacks and subject to manipulation.

Recent incidents involving Uniswap and Hyperliquid have clearly illustrated the weaknesses associated with low-liquidity tokens and the flaws in liquidation mechanisms. Analysis of the attacks demonstrates that manipulations are often directly or indirectly supported by major centralized exchanges, distorting pricing and heightening risks for traders.

In light of these circumstances, the community must actively develop new tools aimed at enhancing trading transparency and reducing manipulation opportunities. Only in this way can the ecosystem transition to a higher level of maturity and foster trust among both institutional players and retail users.