On Thursday, one user of decentralized trading platform Hyperliquid lost approximately $21 million after a private key leak triggered an exploit involving the platform’s Hyperdrive lending protocol.
According to blockchain security firm PecShield, the attackers targeted 17.75 million DAI and 3.11 million SyrupUSDC, a synthetic version of the USDC stablecoin used within Hyperdrive, and then bridged the stolen funds to Ethereum.
PeckShield has not confirmed how the private key was compromised.
The exploit comes amid rapid growth for Hyperliquid, which has gained significant attention due to its points-based rewards program designed to foster liquidity and user participation. The program recently culminated in a massive airdrop to over 94,000 addresses.
According to DefiLlama data, the platform processed more than $3.5 billion in trade volume in the past week alone.
Still, as new activity continues on decentralized exchanges (DEXs), the incident highlights common questions about how users can be kept safe in an ecosystem built on self-custody and smart contracts.
Related: Chainalysis reports $75 billion in crypto assets available for seizure as US Bitcoin reserves stall
How traders stay protected
While the cause of Thursday’s exploit is still under investigation, security analysts stress that users of decentralized exchanges can take several precautions to minimize risk.
DEXs like Hyperliquid give traders complete control over their crypto assets, but that control also means that traders take full responsibility for protecting their crypto assets. Experts recommend maintaining a “hot” wallet for active transactions and a “cold” wallet for long-term storage, keeping most of your funds offline and inaccessible to online threats.
Only a small portion of a trader’s assets should remain in a DEX-connected wallet to limit potential losses in the event of private key compromise or malicious smart contracts.
Related: Hardware Wallets vs. Software Wallets: Key Differences
To prevent private key misuse, Hyperliquid users should never share their private key or seed phrase, even during API wallet setup. Hyperliquid’s official documentation explicitly warns, “Do not share your private key with anyone.”
Users should also be wary of fake “verification” pages and support messages on platforms like Telegram and Discord. These often impersonate official staff and steal credentials.
In response to the Hyperliquid exploit, cryptocurrency exchange MEXC advised users to “verify their positions and authorizations in the block explorer,” noting that exploits often occur when traders grant excessive permissions to DeFi protocols.
Security experts recommend using tools like Etherscan’s token authorization feature or similar on-chain management platforms to regularly review and revoke unnecessary permissions.
Related: Crypto hacking losses drop by 37% in Q3 as tactics shift to wallets