Use a Ledger hardware wallet via Keplr

When Keplr holds your recovery phrase, an attacker who compromises your browser (malicious extension, infostealer malware) can in principle extract it. A Ledger keeps the recovery phrase inside a tamper-resistant secure element; signatures happen on the device and the phrase never leaves it.

For positions worth more than a few thousand dollars, the security delta is real and the friction is small — you press a physical button to approve each transaction.

Buy a Ledger Nano S Plus or Nano X (or an alternative like Trezor — Keplr supports both). Initialize it offline, write down its recovery phrase on paper, install the "Cosmos" app via Ledger Live.

Open Keplr → "Add wallet" → "Connect hardware wallet". Select Ledger, USB-connect the device, open the Cosmos app on the Ledger. Keplr derives the dydx1… address and registers it as a Ledger-backed account.

When the Botely wizard (or any dYdX tx) asks for a signature, Keplr forwards the request to your Ledger. The device screen shows the transaction details — verify the sender, type, and amount on the device itself, then press the right button to approve.

If you press the left button, the signature is rejected. Always verify on the device — the browser UI cannot be fully trusted in a compromised environment, but the Ledger screen is independent.

Some MsgAddAuthenticator implementations have had compatibility issues with older Ledger Cosmos app versions. If signing fails, update the Cosmos app via Ledger Live to the latest version.

If your Ledger is lost or breaks, restore from the recovery phrase onto a new device. You do not have to migrate funds — the same dydx1… address comes back.