# Sample Hyperliquid Policies This page guides you through configuring [policy](/user-guide/policies) to create transaction rules for Hyperliquid (sometimes called HyperCore). For more general examples, see [Sample Policies](/user-guide/policies/sample-policies). These examples cover the basic rules needed for common Hyperliquid interactions. If you need more help, feel free to reach out to Fordefi Customer Service. ## Important concepts Users of Hyperliquid can interact with the exchange through Fordefi, mainly by signing EVM typed messages, but some specific actions — such as depositing USDC from Arbitrum over the legacy bridge — require a "transfer". This means no single rule covers all Hyperliquid transactions; instead, a comprehensive policy will require multiple rules, each handling a specific kind of interaction with Hyperliquid. The sections below describe those rules and provide minimal templates you can adapt for your own policy. ## Deposit rules ### Legacy deposits using Arbitrum This simple rule covers the case of depositing USDC into Hyperliquid's [bridge contract on Arbitrum](https://arbiscan.io/address/0x2df1c51e09aecf9cacb7bc98cb1742757f163df7) using the legacy deposit flow on Hyperliquid. #### Settings - **Transaction type**: "Allowance" and "Transfer" - **Recipient**: Hyperliquid (Arbitrum One) DApp option - **Transaction amount**: less than or equal to $100,000 USD (this condition is optional and can be removed or the amount changed) image.png #### Notes The transaction is of type "Transfer" because the deposit involves moving and locking your tokens into the bridge contract and crediting the amount to Hyperliquid. We have also added the "Allowance" transaction type, which is technically not required when depositing using the Hyperliquid web app but is required when depositing USDC with Fordefi over API. We have selected the Hyperliquid (Arbitrum) DApp "bundle" as the "Recipient" in our rule because this bundle includes the bridge contract for convenience. legacy-deposit-hyperliquid-dapp.png ### CCTP deposits with Arbitrum This rule captures deposits to Hyperliquid through Circle's CCTP on Arbitrum, which is now the default deposit method on Hyperliquid. The CCTP flow uses the [USDC contract on Arbitrum](https://arbiscan.io/token/0xaf88d065e77c8cc2239327c5edb3a432268e5831#writeProxyContract), which is included in the Circle CCTP (Arbitrum) DApp bundle, which we'll be using for this rule for convenience. #### Settings - **Transaction type**: "EVM typed data message" - **Recipient**: Circle CCTP (Arbitrum One) DApp option - **EVM typed message**: - Domain: USD Coin - Primary type: ReceiveWithAuthorization hyperliquid-deposits-cctp.png #### Notes Since this transaction involves signing an EVM typed message, that is what we have selected as the transaction type, and we have added an extra "EVM typed message" condition with the domain and type of the message we are expecting. Importantly, note that you must NOT add an extra amount or asset check to this rule. Fordefi's policy engine [cannot check an amount or asset when the transaction type is an EVM message](https://docs.fordefi.com/user-guide/policies/policy-rules-conditions-and-actions#matchers-and-transaction-types), except in special circumstances where this message is handled by Fordefi as a transfer (more on this in the next section). hyperliquid-deposits-cctp-dapp.png ## Asset transfer rule from within Hyperliquid This important rule is meant as a "catch-all" that governs the following actions on Hyperliquid: - Transfers from Spot to Perps - Transfers from Perps to Spot - Withdrawals from Hyperliquid to your wallet on Arbitrum - Transfers to another Hyperliquid account using Hyperliquid's "Send" feature #### Settings - **Origin**: The vault or vaults that will sign transactions on Hyperliquid - **Transaction type**: "Transfer" - **Recipient**: "Origin vault" hyperliquid-send-assets.png #### Notes Although all these actions technically involve signing EVM messages, Fordefi is able to "treat" them like regular transfers. Treating them like transfers allows us to use the "Recipient" field on a rule as a whitelist of beneficiaries. In the example above we used "Origin vault" as the "Recipient" so if a malicious trader ever tried to transfer or withdraw assets to an account that's not the connected Fordefi vault, the transaction would not be allowed by that rule. For the specific case where you'd want to allow transferring funds to a Hyperliquid account that's not the connected vault (a trusted third-party for example), you can simply add that account to the "Recipient" list on the rule. transfers-whitelist.png ## Approve and revoke API wallets Although [API wallets](https://hyperliquid.gitbook.io/hyperliquid-docs/for-developers/api/nonces-and-api-wallets?q=agent+wallet#api-wallets) are not required to use Hyperliquid with Fordefi, they can be used for some programmatic use cases. This rule will match any transaction that attempts to approve or revoke an API wallet on Hyperliquid. #### Settings - **Transaction type**: "EVM typed data message" - **EVM typed message**: - Domain: HyperliquidSignTransaction - Primary type: HyperliquidTransaction:ApproveAgent - **Recipient**: "0x0000000000000000000000000000000000000000" as a custom address hyperliquid-api-wallets-rule.png #### Notes The verifying contract here is the [0x0 address](https://arbiscan.io/address/0x0000000000000000000000000000000000000000) (also known as the burn or null address) — this is simply a convention by which Hyperliquid uses this address as its verifying contract. The reason we are not adding the 0x0 address to our Address book is that we do not want it to appear as a destination option when doing a transfer in the Fordefi web app that is unrelated to Hyperliquid. approve-api-wallets-dapp.png ## Convert to multi-sig account As with API wallets, converting your Hyperliquid account to a multi-sig is optional but [can be set up for additional security](https://hyperliquid.gitbook.io/hyperliquid-docs/hypercore/multi-sig). However, it comes at the cost of added complexity and the risk of losing access to your Hyperliquid account if you can no longer meet the threshold. As such, it is best practice to gate the use of this action to make sure it does not present security risks or is activated accidentally. #### Settings - **Transaction type**: "EVM typed data message" - **Recipient**: "0x0000000000000000000000000000000000000000" as a custom address - **EVM typed message**: - Domain: HyperliquidSignTransaction - Primary type: HyperliquidTransaction:ConvertToMultiSigUser convert-to-multisig.png #### Notes As with API wallets, Hyperliquid's convention requires the 0x0 address as a placeholder for the verifying contract. convert-to-multisig-dapp.png