秋田预测市场 · Discord 审计

stevek参与话题 8消息总数 22

该用户的聊天记录定位。

Reset

聊天记录

共 22 条,显示第 1-22 条
stevek 2026-07-12 06:18:08 Hyperliquid HyperSwap V3钓鱼合约利用拼写错误骗取LP NFT

For anyone wondering about the HyperSwap hack, the victim saw a X post from HyperswapperX in a reply to HyperswapX. He didn't notice the spelling error. He was lured to the dApp which then gave a blind transaction that Metamask didn't flag as malicious. Result: complete loss of all funds. Lesson: MetaMask security is pretty weak, especially w.r.t. hyperliquid EVM. Never blind sign on untrusted dApp sites.

For anyone wondering about the HyperSwap hack, the victim saw a X post from HyperswapperX in a reply to HyperswapX. He didn't notice the spelling error. He was lured to the dApp which then gave a blind transaction that Metamask didn't flag as malicious. Result: complete loss of all funds. Lesson: MetaMask security is pretty weak, especially w.r.t. hyperliquid EVM. Never blind sign on untrusted dApp sites.

stevek 2026-07-12 03:44:44 Hyperliquid HyperSwap V3钓鱼合约利用拼写错误骗取LP NFT

HyperSwap isn't affiliated with Hyperliquid. So complaining to Hyperliquid is not appropriate. Hyperswap, like all other X accounts, is unable to delete the posting from the "imposter" HyperswaPPER X account that drained your funds. The bottom line is you have to be REALLY careful about approving any requests from dApps hosted by non-credible sites like this. The theft of your funds is one of the reasons I'm spending my time developing a safer crypto wallet that should be much more resistant to these types of incidents.

HyperSwap isn't affiliated with Hyperliquid. So complaining to Hyperliquid is not appropriate. Hyperswap, like all other X accounts, is unable to delete the posting from the "imposter" HyperswaPPER X account that drained your funds. The bottom line is you have to be REALLY careful about approving any requests from dApps hosted by non-credible sites like this. The theft of your funds is one of the reasons I'm spending my time developing a safer crypto wallet that should be much more resistant to these types of incidents.

stevek 2026-07-12 01:44:53 Hyperliquid CASHCAT合约强制清算引发退款争议

Separate topic: For trading CASHCAT on HL, you should consider lowering margin to 1X. A lot of people just got force liquidated through market manipulation.

Separate topic: For trading CASHCAT on HL, you should consider lowering margin to 1X. A lot of people just got force liquidated through market manipulation.

stevek 2026-07-12 01:42:34 Hyperliquid

i'd like to get more info on this contract if you're willing to share.

i'd like to get more info on this contract if you're willing to share.

stevek 2026-07-11 06:00:36 Hyperliquid 用户存款二次签名失败需ARB网络ETH作为Gas

I am guess he just has ETH only, no USD. You need a small amount of ETH, and at least $15 or so in USD for a deposit to make any sense since min order is $10 and you lose $1 to create the account.

I am guess he just has ETH only, no USD. You need a small amount of ETH, and at least $15 or so in USD for a deposit to make any sense since min order is $10 and you lose $1 to create the account.

stevek 2026-07-11 03:48:59 Hyperliquid 美国用户交易永续合约受限与合规指引

try using hypersight.xyz. NOTE: If you are in the US, it is legal to trade SPOT markets, and Outcome markets are a grey area. PERP trading is prohibited if you are the US, but allowed virtually everywhere else in the world.

try using hypersight.xyz. NOTE: If you are in the US, it is legal to trade SPOT markets, and Outcome markets are a grey area. PERP trading is prohibited if you are the US, but allowed virtually everywhere else in the world.

stevek 2026-07-11 01:16:10 Hyperliquid

I am using a wallet that knows how to sign L1 transactions. The wallet advertises the EVM chainID but it (unlike all other wallets) ALSO advertises the capability: hyperliquid_authorizeAction Is that the "recommended" approach for dealing with dApps who are willing to pass the L1 actions to sign?

I am using a wallet that knows how to sign L1 transactions. The wallet advertises the EVM chainID but it (unlike all other wallets) ALSO advertises the capability: hyperliquid_authorizeAction Is that the "recommended" approach for dealing with dApps who are willing to pass the L1 actions to sign?

stevek 2026-07-11 00:48:13 Hyperliquid 社区成员警告新用户防范验证诈骗

did you just post your very first support request? That would explain that. Even though HL has a small staff, there are thousands of "volunteer" unofficial support staff that will happily offer you support AFTER you "verify your account" which means give them your seed phrase (because there will be a "bug" if you try it with just your address). So after they steal all your money, I'm not sure what happens but when I point out the scam to these people they stop talking to me for some reason. Also, they will say their site is safe citing VirtusTotal, etc. which is meaningless but fools people.

did you just post your very first support request? That would explain that. Even though HL has a small staff, there are thousands of "volunteer" unofficial support staff that will happily offer you support AFTER you "verify your account" which means give them your seed phrase (because there will be a "bug" if you try it with just your address). So after they steal all your money, I'm not sure what happens but when I point out the scam to these people they stop talking to me for some reason. Also, they will say their site is safe citing VirtusTotal, etc. which is meaningless but fools people.

You sent on HyperCore to an address used by HTX??? or did you send on another blockchain to an HTX address? Is there a tool that warns people they are about to send to a sanctioned address? Is there a list of blockchains/wallet addresses to avoid?

You sent on HyperCore to an address used by HTX??? or did you send on another blockchain to an HTX address? Is there a tool that warns people they are about to send to a sanctioned address? Is there a list of blockchains/wallet addresses to avoid?

stevek 2026-06-16 11:54:15 Hyperliquid

have you tried using hypersight ?

have you tried using hypersight ?

stevek 2026-06-16 03:53:46 Hyperliquid

FWIW: Converting an account to multi-sig does NOT affect any agent key's ability to do trades. This means you can provision an agent key for an app you trust where the key won't be compromised and then convert the base account to multisig after the agent key is provisioned. For example, I tried connecting my multi-sig wallet to dreamcash, and that failed because it doesn't support multi-sig, so then I converted to single-sig, which made it happy. It got its agent key and then I converted it back to multi-sig. So both work. So one shouldn't get the false assurance that if you convert your account to multi-sig, your agents will be disabled because they won't be.

FWIW: Converting an account to multi-sig does NOT affect any agent key's ability to do trades. This means you can provision an agent key for an app you trust where the key won't be compromised and then convert the base account to multisig after the agent key is provisioned. For example, I tried connecting my multi-sig wallet to dreamcash, and that failed because it doesn't support multi-sig, so then I converted to single-sig, which made it happy. It got its agent key and then I converted it back to multi-sig. So both work. So one shouldn't get the false assurance that if you convert your account to multi-sig, your agents will be disabled because they won't be.

agent key can't withdraw" is false comfort. The withdrawal restriction protects the balance from leaving via transfer, but does nothing about value leaving via adversarial fills. The attack surface is the signing capability itself, not the withdrawal permission. Most AI bots can explain it in detail if you think I'm kidding. I wish I was. This is from Claude: Here are the ways an attacker holding your stolen Hyperliquid agent/API key can bleed your account, given that the key can place orders but cannot withdraw or transfer: Self-dealing / wash trades (the main one). The attacker posts resting orders on both sides of a thin or manufactured-spread market from a wallet they control, then uses your key to cross the spread into those orders. Your account buys high and sells low; the spread differential transfers to their wallet as realized PnL. On-chain it looks like two consenting wallets trading normally, so it's not clawback-able. Sizeable to your full available margin, executes in seconds. Adversarial position-taking into liquidation. Even without a counterparty wallet, they can open maximally leveraged positions in a direction designed to lose, or oversize into illiquid markets so slippage and liquidation fees destroy value. Less efficient for the attacker (they don't capture the loss directly) but pure griefing that still drains you. Maker/taker fee leakage via churn. High-frequency open/close cycling burns your balance through fees and funding. Slow relative to the wash-trade attack, but a supplement — and it muddies the picture if they want the activity to look like "bad trading" rather than theft. Cross-margin spillover. If the account is in cross-margin mode, losses in one position draw down the shared collateral pool, so a single manufactured-loss position can reach your entire margin balance rather than being isolated to one market. There was more but this is now at the character limit for a message.

agent key can't withdraw" is false comfort. The withdrawal restriction protects the balance from leaving via transfer, but does nothing about value leaving via adversarial fills. The attack surface is the signing capability itself, not the withdrawal permission. Most AI bots can explain it in detail if you think I'm kidding. I wish I was. This is from Claude: Here are the ways an attacker holding your stolen Hyperliquid agent/API key can bleed your account, given that the key can place orders but cannot withdraw or transfer: Self-dealing / wash trades (the main one). The attacker posts resting orders on both sides of a thin or manufactured-spread market from a wallet they control, then uses your key to cross the spread into those orders. Your account buys high and sells low; the spread differential transfers to their wallet as realized PnL. On-chain it looks like two consenting wallets trading normally, so it's not clawback-able. Sizeable to your full available margin, executes in seconds. Adversarial position-taking into liquidation. Even without a counterparty wallet, they can open maximally leveraged positions in a direction designed to lose, or oversize into illiquid markets so slippage and liquidation fees destroy value. Less efficient for the attacker (they don't capture the loss directly) but pure griefing that still drains you. Maker/taker fee leakage via churn. High-frequency open/close cycling burns your balance through fees and funding. Slow relative to the wash-trade attack, but a supplement — and it muddies the picture if they want the activity to look like "bad trading" rather than theft. Cross-margin spillover. If the account is in cross-margin mode, losses in one position draw down the shared collateral pool, so a single manufactured-loss position can reach your entire margin balance rather than being isolated to one market. There was more but this is now at the character limit for a message.

tldr; storing the agent private key in the browser is inherently unsafe. A smart attacker can steal most of your funds. That's state of the art with the official hyerliquid app. If you want better security than that, there is a way to do it that gives you the same convenience you have now, but doesn't permit a drive by attack. I was a victim of a silent install of NetSupport Manager so I speak from $$$ lost.

tldr; storing the agent private key in the browser is inherently unsafe. A smart attacker can steal most of your funds. That's state of the art with the official hyerliquid app. If you want better security than that, there is a way to do it that gives you the same convenience you have now, but doesn't permit a drive by attack. I was a victim of a silent install of NetSupport Manager so I speak from $$$ lost.

stevek 2026-06-15 10:42:07 Hyperliquid

tldr: using multisig with a browser extension coupled with a self-hosted cloud signer to enforce policy --> crypto with far less risk than today. multisig wallet have 2/3 signers: extension, your cloud hosted signer, hardwallet. User controls the 3 keys.

tldr: using multisig with a browser extension coupled with a self-hosted cloud signer to enforce policy --> crypto with far less risk than today. multisig wallet have 2/3 signers: extension, your cloud hosted signer, hardwallet. User controls the 3 keys.

stevek 2026-06-15 07:56:12 Hyperliquid

You can look up Steve Kirsch on Grokipedia. You can verify my .hl name on the About page of Steve Kirsch's substack. Do you still think I'm a scammer?

You can look up Steve Kirsch on Grokipedia. You can verify my .hl name on the About page of Steve Kirsch's substack. Do you still think I'm a scammer?

stevek 2026-06-15 07:38:28 Hyperliquid

all my HL accounts got tokens.

all my HL accounts got tokens.

1. because i just saw it when i read the recent posts. I was in a similar position myself. I had over $100K in staked Solana and thought it was safe. I can give you my SOL address and you can verify it. I have the police report as well. They laundered it so well the police couldn't track it. solana address 9BBhGEfAMSHg8Mxyb4x67VKMhyomJ3MAPa9mqXtaP8xZ Theft was Feb 4, 2026. That motivated me to solve the problem for myself and others. I can prove I still own that wallet if you need proof. 2. Yes, it started with his phone being hacked. Others suggested converting it to multisig immediately. 3. I don't have a product to sell. I have an prototype design that I think solves the problem. I'm not selling anything so there is no "product promotion". free. 4. Yes it is because he can use this tool right now to convert his account safely. He can look me up on wikipedia to validate I am who I claim to be. 5. The the whole point of converting to multi-sig is to secure an account. I tried connecting my multi-sig account to Hypersig and it said it wouldn't let me do anything until I converted it to a unified account. And it required me to convert my multi-sig account to a single-sig account, which is the opposite of what security is supposed to do. Any time it converts to a singlesig account, it is much more vulnerable. You can go try it yourself on your multi-sig account. I can show you when I do the conversion on Hypersight I can convert the account type from Classic to Unified without disabling Multi-Sig. You cannot do that on Hypersig. Any time you go from multi-sig to single-sig, that is a downgrade in the level of assurance which increases risk. I'm happy to give you a live demo if you would like to see it and become less confused but it is not nonsensical. I'll show you what happens in hypersig. My wallet. My funds. You can watch.

1. because i just saw it when i read the recent posts. I was in a similar position myself. I had over $100K in staked Solana and thought it was safe. I can give you my SOL address and you can verify it. I have the police report as well. They laundered it so well the police couldn't track it. solana address 9BBhGEfAMSHg8Mxyb4x67VKMhyomJ3MAPa9mqXtaP8xZ Theft was Feb 4, 2026. That motivated me to solve the problem for myself and others. I can prove I still own that wallet if you need proof. 2. Yes, it started with his phone being hacked. Others suggested converting it to multisig immediately. 3. I don't have a product to sell. I have an prototype design that I think solves the problem. I'm not selling anything so there is no "product promotion". free. 4. Yes it is because he can use this tool right now to convert his account safely. He can look me up on wikipedia to validate I am who I claim to be. 5. The the whole point of converting to multi-sig is to secure an account. I tried connecting my multi-sig account to Hypersig and it said it wouldn't let me do anything until I converted it to a unified account. And it required me to convert my multi-sig account to a single-sig account, which is the opposite of what security is supposed to do. Any time it converts to a singlesig account, it is much more vulnerable. You can go try it yourself on your multi-sig account. I can show you when I do the conversion on Hypersight I can convert the account type from Classic to Unified without disabling Multi-Sig. You cannot do that on Hypersig. Any time you go from multi-sig to single-sig, that is a downgrade in the level of assurance which increases risk. I'm happy to give you a live demo if you would like to see it and become less confused but it is not nonsensical. I'll show you what happens in hypersig. My wallet. My funds. You can watch.

stevek 2026-06-15 05:12:43 Hyperliquid

My friend Raymond Yuan suggested the idea (founder of CTH Group). He wanted security and ease of use. The system uses two keys, both keys are out of our control.

My friend Raymond Yuan suggested the idea (founder of CTH Group). He wanted security and ease of use. The system uses two keys, both keys are out of our control.

I just sent you a friend request. I'll show you a easier and safer way to convert to mutlsig. Better than hypersig and i'll show you why. For the skeptical, you can demonstrate this yourself. Connect your multisig wallet to hypersig and it wouldn't let you do anything before you convert to single sig so it can switch you to unified mode. My account was already in unified mode and it is NOT necessary to switch off multisig to convert. That's a security risk. I'd post screenshots, but I don't have privileges to do that yet. But you can replicate this yourself. Use my multisig wallet address: 0xCa5269C628672A8E93105B0D6BD0989F25886bCb You can verify it is in unified mode. Attach it to hypersig. Hypersig will tell you it has to switch off multisig to convert it to unified mode.

I just sent you a friend request. I'll show you a easier and safer way to convert to mutlsig. Better than hypersig and i'll show you why. For the skeptical, you can demonstrate this yourself. Connect your multisig wallet to hypersig and it wouldn't let you do anything before you convert to single sig so it can switch you to unified mode. My account was already in unified mode and it is NOT necessary to switch off multisig to convert. That's a security risk. I'd post screenshots, but I don't have privileges to do that yet. But you can replicate this yourself. Use my multisig wallet address: 0xCa5269C628672A8E93105B0D6BD0989F25886bCb You can verify it is in unified mode. Attach it to hypersig. Hypersig will tell you it has to switch off multisig to convert it to unified mode.

stevek 2026-06-10 10:06:27 Hyperliquid 工单系统触达500通道限制且用户验证出现乱象

Two bugs: 1. ticket creation doesn't work anymore (limit of 500) 2. In the user verification, you are asked to pick the grapes (item 4). when you do that, it says "wrong, try again"... None of the selections work. Was this done on purpose to weed out those who are easily discouraged?

Two bugs: 1. ticket creation doesn't work anymore (limit of 500) 2. In the user verification, you are asked to pick the grapes (item 4). when you do that, it says "wrong, try again"... None of the selections work. Was this done on purpose to weed out those who are easily discouraged?

stevek 2026-06-10 02:01:38 Hyperliquid

Any comments on this Security feature request: Change the app to allow a "no-agent trading mode" where the official app does not generate or persist an agent/API wallet key, and instead submits HyperCore actions signed directly by the connected wallet for each trade. This allows for custom HL wallets that can silently approve "normal" requests, and request higher LoA for "suspect" requests. This trades UX friction for stronger key-custody guarantees, which is highly desirable for high-value wallets that trade only a modest number of times per day. I have personally had malware steal my crypto (over $100K+) so I'm not interested in having a repeat experience. Agent keys have the unadvertised ability to transfer out my funds without my permission. I won't go into the details here.

Any comments on this Security feature request: Change the app to allow a "no-agent trading mode" where the official app does not generate or persist an agent/API wallet key, and instead submits HyperCore actions signed directly by the connected wallet for each trade. This allows for custom HL wallets that can silently approve "normal" requests, and request higher LoA for "suspect" requests. This trades UX friction for stronger key-custody guarantees, which is highly desirable for high-value wallets that trade only a modest number of times per day. I have personally had malware steal my crypto (over $100K+) so I'm not interested in having a repeat experience. Agent keys have the unadvertised ability to transfer out my funds without my permission. I won't go into the details here.