Điều gì có thể sai: bài viết về bảo mật mà không ai viết
Lừa đảo, hỗ trợ giả mạo, chữ ký độc hại, vault bị nổ, rủi ro nền tảng — xếp hạng theo tần suất chúng thực sự lấy tiền của mọi người, cùng với các thói quen nhàm chán ngăn chặn từng cái.
Last post of the foundations series, and the one I'd make mandatory if I could. Losses on DEXs almost never come from exotic hacks — they come from a short list of well-known traps. Here's the list, ranked roughly by how often each one takes real people's money.
1. Phishing: the fake front door
The most common killer by far. A perfect copy of the Hyperliquid site at a lookalike address, reached through a sponsored search result, a Discord DM, or an email about an "urgent migration." You connect your wallet, sign what looks like a routine approval, and the drain happens in one transaction.
Defense: one bookmark, used every time. Never reach a financial site through search ads or messages. No legitimate project DMs you first, and "support" that initiates contact is always — always — an attacker.
2. The seed phrase request
Any prompt to "verify," "validate," "sync," or "restore" your wallet by entering your seed phrase is theft in progress. There is no exception in the entire industry. Real wallet software asks for your seed exactly once: when you initiate a restore on a fresh device.
3. Malicious signatures
Subtler than phishing: a site asks your wallet for a signature that quietly grants permission to move your tokens. The pop-up looks like every other pop-up. Defense: read what you sign, especially the word "approve"; keep trading funds in a separate wallet from savings, so the blast radius of one bad click stays small; for long-term holdings, a hardware wallet that displays what's being signed.
4. The vault blowup: a loss that worked as designed
Not all disasters are theft. Deposit into a vault run on high leverage and a violent move can liquidate it — your share included. No bug, no scam, just the bus hitting the wall from the perps post. One vault near the top of today's leaderboard rode from +$1.6M all-time profit to negative — with millions of depositor money aboard the whole way down. The entire review series exists to help you spot that bus before boarding; the universal rule is older than crypto: size your deposit so a total loss changes nothing about your life.
5. Platform risk: the young-chain clause
Hyperliquid itself is software, young software, with a validator set still small enough to act as a committee — it did exactly that during a market attack in March 2025. I judge the trade-off acceptable and keep my trading capital there; but "acceptable risk" and "no risk" are different sentences, and anyone who tells you the second is selling something. Diversification across platforms is not paranoia.
The boring scoreboard
Bookmark, not links. Paper, not screenshots. Test transfer, then the real one. Separate wallets for trading and savings. Position sizes that let you sleep. None of it is clever, which is exactly the point — every disaster in this post starts with skipping something boring.
That closes the foundations. Next on this blog: the fun part — we open the vaults leaderboard, 342% APRs and all, and start taking it apart number by number.