Wallet compromise runbook

A compromise indicator is unauthorized transactions you didn't initiate (visible on dydx.trade or your block explorer). Random pop-ups on a website are NOT a compromise indicator — those are phishing attempts.

If you actually see unauthorized activity, assume the worst and act fast. If you're not sure, take a screenshot and review with a fresh head — most 'compromise alerts' are phishing scares.

Generate a brand-new mnemonic on a clean device (ideally a fresh Keplr install on a different computer, or a hardware wallet you haven't connected to anything yet). DO NOT use the compromised wallet's Keplr to set up the new one — the attacker may already have the seed.

From the compromised wallet (you still hold the keys until the attacker uses them), send all funds: withdraw USDC from subaccount 0 → bank, then send bank USDC + DYDX to the new wallet's address. Speed matters.

Once funds are in the new wallet, the compromised wallet has nothing left to steal. But the on-chain authenticator (Botely trading key) is still registered against the old owner address. Doesn't matter for fund safety, but is hygiene.

Revoke from /app/settings → "Revoke" button, then run `dydxprotocold tx accountplus remove-authenticator <id> --from <old-owner-keyname>` from the CLI to also remove on-chain. The fee is paid by the old owner — that's fine.

Update Botely to point at the new owner address: in /app/settings the wizard now uses your new Keplr account. Re-run the wizard to register a new trading key tied to the new owner.

Update the bot's .env (Phase 0) or wait for Phase 1 auto-pickup. Restart the bot.

Update DYDX_ADDRESS in the bot's .env if it was hardcoded to the old address.

Where did the leak happen? Common vectors: (a) seed typed into a fake Keplr lookalike site, (b) seed photographed and stored in cloud (Google Drive, iCloud, GitHub Gist), (c) malware on the device running Keplr, (d) physical access to a written seed.

Whatever caused it, don't repeat it. For high-value wallets, consider switching to a hardware wallet — the seed never leaves the device's secure element. See the mnemonic-best-practices guide.