On Thursday, a single individual on the decentralized trading platform Hyperliquid incurred a loss of approximately $21 million following a private key leak that facilitated an exploit of the platform’s Hyperdrive lending protocol.
According to blockchain security firm PeckShield, the attacker focused on seizing 17.75 million DAI (DAI) and 3.11 million SyrupUSDC, a synthetic variant of the USDC stablecoin utilized within Hyperdrive, before bridging the misappropriated assets to Ethereum.
PeckShield has not yet verified the method through which the private key was compromised.
This exploit arises during a period of rapid growth for Hyperliquid, which has garnered significant attention due to its rewards program aimed at enhancing liquidity and user engagement. Recently, this initiative culminated in a major airdrop to over 94,000 addresses.
In just the past week, the platform has recorded more than $3.5 billion in trading volume, as per data from DefiLlama.
Nevertheless, as decentralized exchanges (DEXs) witness a resurgence in activity, this incident raises a recurring question: How can users ensure their security in an ecosystem predicated on self-custody and smart contracts?
Related: As US Bitcoin Reserve stalls, Chainalysis flags $75B in seizable crypto
How traders can stay protected
While the cause of Thursday’s exploit is still under investigation, security analysts stress that users of decentralized exchanges can adopt various measures to mitigate risk.
DEXs like Hyperliquid provide traders with complete control over their crypto assets, but with that control comes the full responsibility for securing them. Experts advocate for maintaining a “hot” wallet for active trading and a “cold” wallet for long-term storage, ensuring that the majority of funds remain offline and inaccessible to online threats.
Only a minimal portion of a trader’s assets should be left in wallets connected to DEXs to limit potential losses in the case of a private key breach or malicious smart contract.
Related: Hardware vs. software wallets: Key differences
To guard against private key exploits, Hyperliquid users should refrain from sharing their private keys or seed phrases, even during API wallet setup. Hyperliquid’s official documentation explicitly warns: “Do not share your private key with anyone.”
Users are also advised to be wary of counterfeit “authorization” pages or support messages on platforms like Telegram or Discord, which frequently impersonate official staff to steal credentials.
In light of the Hyperliquid exploit, the crypto exchange MEXC recommended that users “check positions and approvals on a block explorer,” highlighting that exploits often transpire when traders grant excessive permissions to DeFi protocols.
Security experts suggest regularly reviewing and revoking unnecessary permissions using tools such as Etherscan’s Token Approvals feature or similar on-chain management platforms.
Related: Crypto hack losses down 37% in Q3 as tactics shift to wallets
