On Thursday, a single user on the decentralized trading platform Hyperliquid suffered a loss of approximately $21 million due to a leak of a private key that enabled an exploit of the platform’s Hyperdrive lending protocol.
Blockchain security firm PeckShield reported that the attacker targeted 17.75 million DAI (DAI) and 3.11 million SyrupUSDC, a synthetic version of the USDC stablecoin utilized within Hyperdrive, and subsequently bridged the stolen assets to Ethereum.
PeckShield has not verified how the private key was compromised.
This exploit comes amidst Hyperliquid’s rapid growth, which has gained attention for its points-based rewards program aimed at enhancing liquidity and user engagement. Recently, this program led to a significant airdrop benefitting over 94,000 addresses.
In just the past week, the platform has handled more than $3.5 billion in trading volume, as reported by DefiLlama.
Nonetheless, as decentralized exchanges (DEXs) witness a rejuvenation of activity, this incident raises an ongoing concern: How can users maintain security in an ecosystem founded on self-custody and smart contracts?
Related: As US Bitcoin Reserve stalls, Chainalysis flags $75B in seizable crypto
How traders can stay protected
While investigations into Thursday’s exploit continue, security analysts highlight that users of decentralized exchanges can adopt several strategies to mitigate risks.
DEXs like Hyperliquid provide traders full custody of their crypto assets, but with that control comes the full responsibility for their security. Experts advise maintaining a “hot” wallet for active trading and a “cold” wallet for long-term storage, ensuring that the majority of funds stay offline and safeguarded from online threats.
A minimal amount of a trader’s assets should remain in wallets linked to DEXs to limit potential losses in case of a private key breach or malicious smart contract.
Related: Hardware vs. software wallets: Key differences
To prevent private key exploits, Hyperliquid users should refrain from sharing their private keys or seed phrases, even during API wallet setup. Hyperliquid’s official documentation clearly cautions: “Do not share your private key with anyone.”
Users should also be wary of fake “authorization” pages or support messages on platforms like Telegram or Discord that frequently mimic official staff to extract credentials.
Following the Hyperliquid exploit, crypto exchange MEXC recommended users to “check positions and approvals on a block explorer,” highlighting that exploits often happen when traders grant excessive permissions to DeFi protocols.
Security professionals urge regular review and revocation of unnecessary permissions through tools like Etherscan’s Token Approvals feature or similar on-chain management platforms.
Related: Crypto hack losses down 37% in Q3 as tactics shift to wallets
