Hyperliquid Flagged Address Case Study: Transaction Reconstruction
Use this as a reconstruction example: the public case is anonymized, timestamps are normalized to UTC, and access details are omitted. The useful lesson is how to separate frontend evidence, position closes, withdrawals, receipts, and fees.
Incident Overview
The account was flagged by a third-party screening signal, which restricted normal UI access. The case also had multiple open positions, active execution steps, and a final destination-chain receipt that needed to be tied back to the affected account.
Public case facts are limited to client-approved, anonymized information. Full wallet addresses and raw transaction hashes are retained internally, but not shown on this public page.
The useful part of the case is the workflow: separate the frontend warning, position activity, Hyperliquid ledger withdrawals, destination-chain receipts, and fee accounting. Without that separation, a reader can easily mistake a final receipt for the whole story.
The main review question was narrower than "was money received?" The review had to connect the final USDC receipt to the affected account through position-close fills, ledger withdrawals, token-transfer logs, and fee entries.
Public summary:
- Flagged Hyperliquid address with restricted frontend access
- Final receipt value: 104,564.85089 USDC
- Owner-provided fee figure: 572.2262982799999 USDC
- Verified fills during execution window: 248
- Trading fees from fills: 249.714176 USDC
- Support ticket used: No
- Access-method details: withheld for security
- Public wallets and tx hashes: withheld
- Public record type: anonymized incident reconstruction
Evidence Used
The internal case file includes the original wallet, final receiving wallet, Arbitrum receipt transaction, Hyperliquid withdrawal ledger entries, and position-conversion transactions. Because this public version is anonymized, the evidence is summarized rather than displayed verbatim.
The evidence review used transaction order rather than explorer display time alone. Hyperliquid and Arbiscan can present timestamps differently depending on display settings and local timezone assumptions, so the case was normalized around UTC and confirmed by matching the transaction sequence. This prevents a common investigation error: treating two explorer clocks as contradictory when the underlying transaction order is still consistent.
The internal review used this sequence:
- Match the final receiving wallet against the client-approved destination.
- Confirm the final receipt transaction on Arbiscan.
- Reconcile gross received amount against fee deductions.
- Preserve the sequence of Hyperliquid position-close and withdrawal transactions.
- Aggregate fills by hash, coin, direction, fee, and closed PnL.
Note: explorer display times can differ by timezone. All internal timestamps were normalized to UTC before reconciliation.
Frontend-State Evidence
A flagged-address case can include a separate frontend-state evidence category: the warning screenshot, UTC capture time, affected public address, and Hyperliquid legal-check response. This category records whether the official frontend currently allows the address, but it does not replace on-chain evidence.
| Evidence category | What it supports | Limit |
|---|---|---|
| Warning screenshot | Frontend displayed a restriction message | Final asset state or withdrawal path |
| Legal-check response | Official frontend allow/deny state for the address | Balances, positions, or withdrawal status |
| On-chain and ledger records | Actual fills, withdrawals, receipts, and fee reconciliation | Why the screening system assigned the risk signal |
In this case study, frontend-state evidence is treated as context for the incident window. The transaction reconstruction still depends on the sequence of Hyperliquid ledger entries, Arbitrum receipt data, and fee reconciliation.
Public redaction boundary
The public page uses evidence summaries, not raw identifiers. This keeps the case useful while avoiding unnecessary address-linkage exposure.
| Record item | Internal check | Public disclosure |
|---|---|---|
| Affected account existed | Original wallet retained in case file | Not shown |
| Final USDC receipt occurred | Arbitrum receipt and token logs matched | Amount and UTC time shown |
| Open exposure was closed | Hyperliquid fills grouped by asset and side | Aggregated fill table shown |
| Fees reconciled | Ledger entries, fill fees, and owner figure compared | Amounts shown without addresses |
UTC Timeline
| Event | UTC Time | Source | Review significance |
|---|---|---|---|
| Flag warning detected | 2025-09-14 08:12 | Hyperliquid Explorer | Start of restricted-access incident window |
| First verified position close | 2025-09-14 15:16 | Hyperliquid API fills | Shows account state was not idle USDC only |
| Main position-close batch | 2025-09-14 15:35-16:03 | Hyperliquid API fills | Primary realized PnL and trading-fee window |
| Post-close reconciliation gap | 2025-09-14 16:03-17:33 | Event-order review | Checked for missing fills, ledger movements, and timing conflicts |
| Arbitrum receipt confirmed | 2025-09-14 17:33:10 | Arbitrum RPC / Arbiscan tx | Destination-chain receipt anchor |
| Hyperliquid withdrawal ledger recorded | 2025-09-14 17:33:18 | Hyperliquid ledger API | Ledger-side confirmation for withdrawal accounting |
Execution Path
The operational review focused on asset visibility, position conversion, fee settlement, and final withdrawal. This public version intentionally omits access-method details and should be read as a reconstruction example, not an implementation guide.
For future incidents, the safer pattern is to start with read-only checks: confirm balances, identify open positions, map withdrawal dependencies, and document which assets are immediately movable versus locked or dependent on market actions. Only after the state is understood should any execution path be considered. This reduces the risk of signing the wrong action, closing the wrong position, or relying on an incomplete balance snapshot. For a reusable classification framework, compare the incident with the smart contract recovery boundary guide and the block explorer evidence workflow.
Observed sequence
- Account state was assessed after the flag warning.
- Open perp exposure was reduced through a series of position-close fills.
- USDC withdrawal entries were recorded on Hyperliquid.
- The Arbitrum transaction distributed USDC to multiple destinations, including the client-approved receiving wallet.
- Final receipt was confirmed on Arbitrum and reconciled against the Hyperliquid ledger entries.
Safety lesson: Sensitive access details should stay out of public case studies. The public record should focus on evidence, timestamps, transaction order, and reconciliation.
Transaction Reconstruction
The deepest part of this review was not the final receipt alone. The important question was what happened between the flagged-address warning and the Arbitrum receipt. Using the owner-provided transaction hashes, Hyperliquid API fills, and Arbitrum RPC receipt data, the sequence can be reconstructed at a transaction-group level without publishing wallet or hash details.
The reconstruction grouped fills by execution cluster rather than presenting all 248 rows. Each row below represents a set of fills with the same asset and close direction during the reviewed window. This makes the public table auditable at a summary level while avoiding a raw dump that would be difficult to read and easier to misuse.
Position-close batch
The Hyperliquid fills show that the account did not simply withdraw an idle USDC balance. A series of open positions were closed first. Across the verified execution window, the API returned 248 fills, with total trading fees of 249.714176 USDC and total closed PnL of -44,653.465322 USDC. The negative PnL is not treated as a service fee; it is the realized result of closing existing market exposure.
| UTC Time | Asset | Action | Fills | Size | Fee | Closed PnL |
|---|---|---|---|---|---|---|
| 15:16:01 | DOT | Close Long | 21 | 15,445.6 | 29.861476 | 1,961.669246 |
| 15:35:18 | AVAX | Close Long | 40 | 1,211.09 | 15.833342 | 645.322537 |
| 15:35:37 | WLFI | Close Long | 32 | 523,377 | 49.816210 | 500.988857 |
| 15:36:27 | LINK | Close Long | 5 | 206.8 | 2.235135 | -80.694392 |
| 15:36:34 | HYPE | Close Long | 1 | 1.79 | 0.043676 | -2.876530 |
| 15:36:39 | BTC | Close Long | 1 | 0.00087 | 0.045111 | 1.157100 |
| 16:02:42 | PUMP | Close Short | 36 | 17,380,177 | 70.049109 | -39,008.978473 |
| 16:02:50 | JUP | Close Long | 26 | 95,067 | 22.683549 | -323.642400 |
| 16:02:57 | W | Close Long | 20 | 370,095 | 14.909514 | -2,026.755136 |
| 16:03:03 | PUMP | Close Short | 8 | 2,315,980 | 9.049069 | -4,564.192746 |
This batch shows why a flagged-account incident can be more complex than a simple withdrawal problem. If the account contains open perps, the execution path has to account for market exposure, realized PnL, trading fees, and the timing gap between close fills and the final withdrawal.
Two details matter for interpretation. First, the negative closed PnL is market outcome, not an external charge. Second, the trading-fee total comes from fill records and should not be merged with withdrawal fees or owner-provided fee accounting. Combining them would overstate one category and obscure the actual execution path.
Withdrawal reconciliation
The Hyperliquid ledger recorded two withdrawal entries at 2025-09-14 17:33:18 UTC. One entry matched the client receipt of 104,564.85089 USDC. A second smaller withdrawal entry of 571.226298 USDC, plus a 1 USDC withdrawal fee, reconciles with the owner-provided fee figure of approximately 572.226298 USDC. The final Arbitrum transaction was confirmed at 2025-09-14 17:33:10 UTC and included a USDC transfer to the client-approved receiving wallet.
The Arbitrum receipt also showed multiple USDC transfers in the same transaction. The public page does not list the recipient addresses, but the decoded transfer amounts included 104,564.85089 USDC to the destination wallet and a smaller 571.226298 USDC transfer consistent with the fee reconciliation. This is why the case record separates trading fees, withdrawal fees, and owner-provided fee accounting instead of combining them into one vague cost number.
Accounting Review
The accounting review separates four categories: final destination receipt, trading fees from fills, protocol withdrawal fees, and the owner-provided fee figure. The categories answer different questions and should not be collapsed into a single headline number.
| Accounting item | Amount | How it was treated |
|---|---|---|
| Final destination receipt | 104,564.85089 USDC | Primary on-chain outcome for the client-approved wallet |
| Smaller same-window withdrawal | 571.226298 USDC | Matched against owner-provided fee accounting |
| Withdrawal fee linked to smaller entry | 1.000000 USDC | Protocol-side fee component in ledger data |
| Owner-provided fee figure | 572.2262982799999 USDC | Reconciles with smaller withdrawal plus withdrawal fee, allowing decimal precision dust |
| Trading fees from fills | 249.714176 USDC | Execution cost from closing positions, tracked separately |
| Closed PnL from fills | -44,653.465322 USDC | Market result from existing exposure, not a fee |
Reconciliation formula used for the owner-provided fee figure: 571.226298 USDC + 1.000000 USDC = 572.226298 USDC. The owner-provided value includes additional decimal precision, leaving a residual of less than one-millionth of a USDC. That residual was treated as rounding precision, not a separate transfer category.
Risk Controls
The case was reviewed carefully because one wrong action could have created a second loss. The public article does not provide instructions for repeating the access route. Instead, it highlights controls that are useful in any incident review.
- Preserve the original warning text and affected address before taking any action.
- Use read-only balance and position checks before signing transactions.
- Separate spot balance, open perps, ledger entries, pending withdrawals, and final chain receipts.
- Normalize every timestamp to UTC before comparing Hyperliquid, Arbitrum, and explorer records.
- Do not treat realized PnL, trading fees, withdrawal fees, and external fee accounting as the same cost category.
- Avoid publishing full wallet relationships unless the owner has explicitly approved disclosure.
- Avoid using unverified workflows that cannot explain the action, destination, fee, and expected receipt.
Review Boundary
This article covers one anonymized case file: the flagged-account incident, position-close sequence, withdrawal ledger entries, and destination-chain receipt. Use it as a reconstruction example, then compare your own account state separately.
Several details remain intentionally outside the public record: complete wallet addresses, full transaction hashes, screenshots, access-route specifics, and client communications. Those omissions are deliberate. They reduce address-linkage risk while still allowing the article to explain the chain-state logic behind the case.
The important habit is cross-checking independent categories: Hyperliquid fill aggregation, Hyperliquid withdrawal ledger entries, Arbitrum token-transfer logs, UTC event order, and the owner-provided fee figure. If any one of those categories disagrees materially in a future case, treat the reconstruction as incomplete until the gap is resolved.
Results
| Final receipt | 104,564.85089 |
| Owner-provided fee figure | 572.2262982799999 |
| Trading fees from verified fills | 249.714176 |
| Total verified fills | 248 |
| Support ticket used | No |
| Public tx hash | Withheld |
| Public wallet disclosure | Withheld |
The outcome recorded for this public case is that funds were received on the destination chain and the receipt was reconciled against the internal case file. Public disclosure is intentionally limited to reduce unnecessary exposure.
The withheld fields are part of the publication boundary. The internal record preserves the wallet and transaction evidence, while the public article avoids publishing relationships that could expose the client to unwanted attention or social-engineering attempts.
Frequently Asked Questions
How can this case be checked without showing full hashes
The public page is anonymized. Internal verification matches the original wallet, destination wallet, transaction sequence, and final receipt on Arbiscan.
Why are all timestamps normalized to UTC
Different explorers can show local time differently. UTC avoids ambiguity and makes cross-source reconciliation more reliable.
Why are access-method details omitted
Access-method details are omitted because the public case is meant to show evidence handling, transaction order, and reconciliation rather than a step-by-step action guide.
Why was support not the only path used
The case was time-sensitive, so support was not relied on as the only path. The final public write-up focuses on the evidence chain rather than the method of access.
How should readers use this case
Use it as an example of transaction reconstruction, timestamp normalization, fee reconciliation, and public redaction boundaries in one anonymized incident.
Conclusion
This case shows how a Hyperliquid flagged-address incident can be reconstructed from account state, fills, ledger entries, destination-chain receipts, and fee accounting. The useful lesson is the review sequence, not the access method.
Key takeaways:
- Normalize timestamps to UTC before comparing explorers.
- Use on-chain receipts and transaction order as the source of truth.
- Keep access-method details out of public incident reports.
- Separate trading fees, withdrawal fees, realized PnL, and service accounting.
- Keep public case studies anonymized when wallet relationships should not be exposed.
For readers facing a similar warning, start with documentation rather than action. Save the warning text, record the affected address, export relevant transaction history, and verify balances through independent sources. If the account has open positions, write down the exposure and liquidation risk before choosing the next step. That creates a decision record support, a technical reviewer, or an internal security team can actually use.
Compare Flagged-Address Withdrawal Options
Use the withdrawal options guide to compare support, API review, and guided workflow paths before choosing any next step.
Compare Withdrawal Options Request Technical Review
This public case report does not expose hashes, wallet addresses, or access-method details.
About the Author: Carlos Vendrell
Last updated: