On Thursday, a single user on the decentralized trading platform Hyperliquid lost about $21 million after a private key leak led to an exploit involving the platform’s Hyperdrive lending protocol.
According to blockchain security company PeckShield, the attacker targeted 17.75 million DAI (DAI) and 3.11 million SyrupUSDC, a synthetic version of the USDC stablecoin used within Hyperdrive, and subsequently bridged the stolen funds to Ethereum.
PeckShield has not confirmed how the private key was compromised.
The exploit comes amid rapid growth for Hyperliquid, which has attracted significant attention due to its points-based rewards program designed to boost liquidity and user participation. The program recently culminated in a major airdrop to over 94,000 addresses.
Over the past week alone, the platform has processed more than $3.5 billion in trading volume, according to data from DefiLlama.
Still, as decentralized exchanges (DEXs) continue to experience renewed activity, the incident underscores a familiar question: How can users remain secure in an ecosystem built on self-custody and smart contracts?
Related: As US Bitcoin Reserve stalls, Chainalysis flags $75B in seizable crypto
How traders can stay protected
While the cause of Thursday’s exploit remains under investigation, security analysts emphasize that decentralized exchange users can take several precautions to minimize risk.
DEXs like Hyperliquid give traders full custody of their crypto assets, but that control also means they bear full responsibility for securing them. Experts recommend maintaining a “hot” wallet for active trading and a “cold” wallet for long-term storage, ensuring that most funds remain offline and out of reach of online threats.
Only a small portion of a trader’s assets should remain in wallets connected to DEXs to limit potential losses in the event of a private key compromise or malicious smart contract.
Related: Hardware vs. software wallets: Key differences
To protect against private key exploits, Hyperliquid users should never share their private keys or seed phrases, even during API wallet setup. Hyperliquid’s official documentation explicitly warns: “Do not share your private key with anyone.”
Users should also be cautious of fake “authorization” pages or support messages on platforms like Telegram or Discord, which often impersonate official staff to steal credentials.
In the wake of the Hyperliquid exploit, crypto exchange MEXC advised users to “check positions and approvals on a block explorer,” noting that exploits often occur when traders grant excessive permissions to DeFi protocols.
Security experts recommend regularly reviewing and revoking unnecessary permissions using tools like Etherscan’s Token Approvals feature or similar onchain management platforms.
Related: Crypto hack losses down 37% in Q3 as tactics shift to wallets