defirisk.co
rubric v1.7.0

Hyperlane

Permissionless interchain messaging protocol connecting 150+ chains via per-chain Mailbox smart contracts + pluggable Interchain Security Modules (ISM; default = multisig ISM with Abacus Works validator set) + Warp Routes (token bridging / TVL-bearing collateral contracts). Multi-VM: EVM (Solidity), SVM/Solana (Rust agents), Cosmos (CosmWasm cw-hyperlane), Starknet (Cairo). Anyone can permissionlessly deploy Hyperlane and configure their own ISM on any chain. HYPER token TGE April 2025; Symbiotic-based validator staking live since April 2025. Original protocol — not a fork. Bug bounty on Immunefi ($2.5M max; live since 2023-01-10). Developed by Abacus Works.

Sector permissionless_messaging_bridge
TVL $132.7M
Reviewed May 16, 2026
Factors 184
Categories 13
Risk score 30.5
DeploymentsBNB Chain · $81.8M
01

Risk profile at a glance

1 red · 5 yellow · 7 green
25 24 17 13 15 22 16 10 13 12 8 5 4
02

Categories & evidence

184 factors · 13 categories
Code & audits Yellow 25 25 of 25
RD-F-009 red Formal verification coverage No formal verification (Certora, Kani, Halmos, or equivalent) found for any Hyperlane contract. Trail of Bits audit is a security review, not a formal proof. No /spec or /certora directories in the monorepo. 0% formal verification coverage. Score: red. RD-F-023 red Constructor calls _disableInitializers() Mailbox constructor does NOT call _disableInitializers(): `constructor(uint32 _localDomain) { localDomain = _localDomain; }` — confirmed from GitHub source AND Etherscan verified source (0x7b4D..., solc 0.8.19). HypERC20Collateral and HypNative constructors also lack this call. Only HypERC4626 was found to call _disableInitializers(). This is a class-wide gap: the implementation contracts (behind proxies holding $132.67M TVS) can be initialized directly by an attacker, potentially granting ownership over the implementation and enabling storage manipulation attacks on the proxy. Score: red. RD-F-001 yellow Audit scope mismatch Trail of Bits (Nov 2023) audited EVM V3 Mailbox + ISM at a commit circa Sep 2023; deployed Mailbox impl (0x7b4D..., solc 0.8.19, source-verified) is likely close to audited scope. However, Warp Route ERC4626 extensions (HypERC4626Collateral, HypERC4626OwnerCollateral, WHypERC4626) evolved materially post-audit and the April 2026 ERC4626 insolvency disclosure (issue #8589, open as of 2026-05-17) is unpatched and unaudited. ChainLight Q2 2025 audit listed on docs page but specific commit SHA not independently verified. audit-q2-2026 branch active but no external firm publication found. Yellow: Mailbox core likely in scope; Warp Route extension layer with live TVL has material scope gap. RD-F-002 yellow Audit recency Trail of Bits sign-off 2023-11-06 (~18 months ago). ChainLight Q2 2025 audit listed on docs page — if covering current deployed EVM contracts, recency is ~12 months from Q2 2025 to Q2 2026. Specific ChainLight report PDF and commit SHA not independently verified. audit-q2-2026 branch suggests another engagement is in progress (April 2026). Score: yellow (cannot independently confirm ChainLight 2025 covers current bytecode; conservative given open insolvency disclosure). RD-F-008 yellow Ignored bounty disclosure April 2026 ERC4626 insolvency disclosure (issue #8589, filed 2026-04-14): reporter could not find SECURITY.md, security email, or GitHub private vulnerability reporting; resorted to opening a public GitHub issue tagging individual team members. Disclosure channel failure — but no confirmed fund loss or pre-exploit ignore. Yellow: problematic disclosure response but not red (no confirmed ignored-before-exploit event). RD-F-013 yellow Arbitrary call with user-controlled target Mailbox.process() calls recipient.handle() where recipient address is derived from the message payload — i.e., the message sender picks the recipient. No target allowlist or selector filter is enforced. This is architecturally inherent for a messaging protocol (the purpose is to route messages to arbitrary recipient contracts) but matches the 'arbitrary call with message-controlled target' pattern. Yellow: design-inherent risk, not a coding mistake. RD-F-014 yellow Reentrancy guard on external-calling functions Mailbox.process() uses check-effects-interactions pattern: delivery mapping written (state changed) before recipient.handle() external call. No nonReentrant modifier, but CEI pattern provides reentrancy protection for double-delivery. Warp Route transfer functions (HypERC20Collateral, HypNative) have external calls — reentrancy coverage not verified for all paths without tool run. Score: yellow (Mailbox core pattern correct; Warp Route coverage not fully verified). RD-F-017 yellow Mixed-decimals math without explicit scaling TokenRouter uses explicit scale numerator/denominator constructor parameters for decimal normalization across chains. Explicit scaling mechanism present. However, with 150+ chain deployments, misconfigured scale parameters could produce incorrect cross-chain amounts. Scaling mechanism exists but correct configuration depends on deploy-time parameters. Score: yellow. RD-F-024 yellow Code complexity vs audit coverage Trail of Bits core audit: 5-day engagement (Sep 25–29 2023) + fix review Oct 26 for a protocol with Mailbox, multiple ISM types, gas paymaster, and Warp Routes. Post-2023, ERC4626 vault routes and additional ISM variants were added without audit coverage (per commit history). ChainLight Q2 2025 adds coverage but scope not fully confirmed. Score: yellow (audit depth adequate for v3 core; borderline relative to current codebase surface). RD-F-183 yellow Bug bounty scope gap on highest-TVL contracts Immunefi program (222 assets in scope, $2.5M max) appears to broadly cover smart contracts. Last updated 2026-04-13 (one day before the ERC4626 insolvency disclosure). Explicit in-scope/out-of-scope contract list not verified from accessible page text. April 2026 reporter could not find the Immunefi program easily enough to use it as a disclosure channel. Score: yellow (program appears comprehensive but per-contract scope coverage for highest-TVL Warp Routes not confirmed). RD-F-003 gray Resolved-without-proof findings No audit PDF was parseable via WebFetch (binary PDFs returned). Cannot enumerate findings with resolution status from Trail of Bits or ChainLight reports. The Dexlyn/Hacken fork audit (Dec 2024) found 2 Critical + 1 Medium all Fixed — but this is a third-party fork engagement, not canonical Hyperlane. Curator should obtain Trail of Bits and ChainLight PDFs directly. RD-F-010 gray Static-analyzer high-severity count No published Slither/Mythril/Semgrep static analysis output for current deployed bytecode. Trail of Bits 2023 used proprietary tooling not published as raw JSON. Cannot assess high-severity finding count without tool run. Curator should run Slither on verified Mailbox + ISM + Warp Route sources. RD-F-015 gray ERC-777/1155/721 hook without reentrancy guard HypERC721Collateral exists in the token directory and could receive ERC-721 onERC721Received callbacks. ERC-777 hooks not confirmed. No static analysis output available to verify reentrancy guard coverage on callback paths. Score: gray. RD-F-016 gray Divide-before-multiply pattern No Slither divide-before-multiply detector output available. ERC4626 yield route math (exchange rate computation per 4626.md) could have divide-before-multiply in share accounting. Cannot assess without tool run. RD-F-018 gray Signed/unsigned arithmetic confusion No symbolic execution output available. Solidity 0.8.x provides built-in overflow/underflow protection. No specific signed/unsigned confusion identified in surface-level source inspection, but full verification requires tool run. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Hyperlane uses TransparentUpgradeableProxy pattern (ProxyAdmin-based), not UUPS. The UUPS _authorizeUpgrade() pattern is not present in the Mailbox or core contracts. Factor does not apply.
RD-F-004 green Audit count Confirmed distinct audit firms: Trail of Bits (EVM V3, 2023-11), FYEO (v1, 2022-08), ChainLight (Q2 2025, yield routes, CCIP warp route), Oak Security (CosmWasm, 2024-02), Sec3 (Sealevel/Solana, July 2023), Sherlock (Sealevel, 2025-03-27), ChainSecurity (USDT), Offbeat (Compound Staker Rewards). For EVM Solidity specifically: Trail of Bits + ChainLight >= 2 distinct firms. Score: green.
RD-F-005 green Audit firm tier Trail of Bits (Tier-1 per taxonomy) audited EVM V3 core contracts. Zellic (Tier-1 per taxonomy) audited Starknet implementation. ChainLight is Tier-2. Sec3 is Tier-2 (Solana security specialist). Score: green (at least one Tier-1 audit of deployed EVM code).
RD-F-006 green Audit-to-deploy gap Trail of Bits sign-off 2023-11-06; Mailbox v3 proxy deployed ~Oct 25 2023 per profile. Deploy occurred slightly before sign-off (~12 days) with the fix review on Oct 26, 2023. Audit-to-deploy gap is ≤12 days in either direction — well within 60-day green threshold.
RD-F-007 green Bug bounty presence & max payout Immunefi bug bounty active since 2023-01-10, max payout $2,500,000 (10% of directly affected funds), 222 assets in scope, last updated 2026-04-13. Active program with large payout. Score: green.
RD-F-011 green SELFDESTRUCT reachable from non-admin path Mailbox.sol source inspection: no SELFDESTRUCT instruction found. Contract uses OZ patterns with no destructive operations. Score: green.
RD-F-012 green delegatecall with user-controlled target No user-controlled delegatecall found in Mailbox.sol or ISM contracts. The TransparentUpgradeableProxy delegates to implementation only via ProxyAdmin. ISM address used in process() is resolved from a registry, not user-controlled at call time. Score: green.
RD-F-019 green ecrecover zero-address return unchecked AbstractMultisigIsm uses OZ ECDSA.recover() (v4.9.3), not the raw ecrecover opcode. OZ v4.9.3 ECDSA.recover() wraps tryRecover() and calls _throwError() when the recovered address would be zero — causing a revert on invalid signatures. The implicit zero-address rejection via OZ wrapper is equivalent to an explicit check. Score: green.
RD-F-020 green EIP-712 domain separator missing chainId Message.sol includes origin domain (4-byte uint32) in the formatMessage encoding: [version, nonce, originDomain, sender, destDomain, recipient, body]. The message ID is keccak256 of this full encoding. Cross-chain replay is prevented because origin domain is bound into the message hash used in ISM verification. Score: green.
RD-F-022 green Public initialize() without initializer modifier All examined implementation contracts use the OZ initializer modifier on initialize(): Mailbox (`external initializer`), HypERC20Collateral (`public initializer`), HypNative (`public initializer`), HypERC20 (`initializer`), HypERC4626Collateral (initializer present). No unprotected initialize() found. Score: green.
Governance & admin Yellow 23 24 of 24
RD-F-025 yellow Admin key custody type Multisig-only governance (no full DAO+timelock). Core Governance Safe is 6-of-10; Operations Safe is 4-of-9. An Upgrade Timelock (0xBE8B8dc0510F80f0Dfb805302c1A60DaEE8f3434) was deployed 2025-07-18 with confirmed getMinDelay()=86400s (24h) via MinDelayChange event in creation tx. Proposer is Core Governance Safe (6-of-10); executor is open (zero address). Categorical result: multisig with an operative 24h timelock, below the 48h+ peer norm for $132M bridge protocols. RD-F-026 yellow Upgrade multisig signer configuration (M/N) Operations Safe: 4-of-9 (verified Safe API). Core Governance Safe: 6-of-10 (verified Safe API). ProxyAdmin v1 owner Safe (0x12C5AB61): 3-of-6 (verified Safe API — U18 resolution). 3-of-6 and 4-of-9 are both below peer norm (5-of-8+) for $132M TVL bridge protocols. 6-of-10 core governance Safe meets peer norm but may not be the operational admin for all upgrade paths. RD-F-027 yellow Single admin EOA U18 RESOLVED ON-CHAIN. Ethereum v3 Mailbox proxy EIP-1967 admin slot resolves to ProxyAdmin v1 (0x75EE15Ee1B4A75Fa3e2fDF5DF3253c25599cc659). On Dec 26 2022 (deploy day), the deployer EOA called transferOwnership() on ProxyAdmin v1 — tx 0x3db692a662ce7eb633864f84df9548b1844b984305b9061256e36fcaa6bd1452. New owner confirmed as 0x12C5AB61Fe17dF9c65739DBa73dF294708f78d23 (decoded from newOwner parameter in tx input data). Safe API confirms 0x12C5AB61 is a Gnosis Safe 1.3.0 with threshold=3, 6 owners — NOT a bare EOA. F027 does not fire: the ProxyAdmin v1 controlling the $132M Mailbox is owned by a 3-of-6 Safe, not a bare EOA. Scored yellow (not red): 3-of-6 is multisig-secured but below the 5-of-8+ peer norm for $132M bridge; upgrade path lacks a timelock (ProxyAdmin owner Safe can call upgrade directly without delay). RD-F-028 yellow Low-threshold multisig vs TVL ProxyAdmin v1 owner Safe is 3-of-6 (U18 resolved). Operations Safe is 4-of-9. Core Governance Safe is 6-of-10. Peer norm for bridge protocols with $100M+ TVL is 5-of-8 or higher. The controlling Safe for the live Mailbox upgrade path (3-of-6) is below peer norm. 4-of-9 ops Safe is also below norm. Only the 6-of-10 governance Safe meets peer norm but it is the Timelock proposer, not the direct ProxyAdmin controller. RD-F-030 yellow Hot-wallet signer flag Deployer EOA 0xa7ECcdb9Be08178f896c26b7BbD8C3D4E844d9Ba is a signer in both the Operations Safe and Core Governance Safe, with 8,711 transactions and $33K multichain portfolio — behavior consistent with a hot operational wallet. At least 1 signer exhibits high-frequency cross-chain activity inconsistent with a cold hardware wallet. RD-F-032 yellow Timelock duration on upgrades U18 RESOLVED ON-CHAIN — PIPELINE BUG CONFIRMED. Upgrade Timelock 0xBE8B8dc0510F80f0Dfb805302c1A60DaEE8f3434 creation tx 0xd11c92e4... emitted MinDelayChange(oldDuration=0, newDuration=86400). getMinDelay()=86400 seconds (24h) confirmed. The pipeline fetch of getMinDelay()=0 was a bug (yearn-finance precedent confirmed here). 24h delay EXISTS but is below the 48h+ best practice for a $132M bridge protocol. Proposer is Core Governance Safe (6-of-10). Scored yellow: Timelock exists with 24h delay; below 48h+ peer norm. Note: this Timelock was deployed 2025-07-18 — it is not in the ProxyAdmin v1 upgrade path for the existing Mailbox (ProxyAdmin v1 owner Safe 0x12C5AB61 controls upgrades directly); the Timelock is the operative upgrade governance mechanism for future protocol actions. RD-F-033 yellow Timelock on sensitive actions U18 re-scored following Timelock confirmation. A 24h Timelock exists (0xBE8B8dc0510F80f0Dfb805302c1A60DaEE8f3434, proposer=Core Governance Safe). However, the ProxyAdmin v1 (controlling the live Mailbox) is owned by the 3-of-6 Safe (0x12C5AB61) which can call upgrades WITHOUT routing through the Timelock — the Timelock is a separate governance layer deployed 2025-07-18, not necessarily in the existing Mailbox upgrade path. Mailbox.sol onlyOwner functions (setDefaultIsm, setDefaultHook, setRequiredHook) route through whoever owns the Mailbox — not confirmed to be behind the Timelock. Scored yellow: Timelock exists with 24h delay for proposer-gated actions but direct upgrade path via ProxyAdmin v1 owner Safe bypasses it. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Mailbox.sol uses a single onlyOwner pattern for all admin operations. Upgrade role (ProxyAdmin v1 → 3-of-6 Safe) and operational config (Mailbox owner) are distinct contracts/address paths. No separate fee-collection role. Oracle config (setDefaultIsm) is an owner function. Partial role separation exists between upgrader and config owner, but config functions are not role-separated among themselves. RD-F-038 yellow Proposal execution delay < 24h U18 re-scored following Timelock delay confirmation. Timelock has 24h delay (confirmed via MinDelayChange event in creation tx). For governance actions routed through the Timelock (Core Governance Safe as proposer), a 24h wait is enforced. However, direct upgrade path via ProxyAdmin v1 owner Safe (3-of-6) is NOT required to use the Timelock — the Safe can call upgrades without any delay. L2Beat confirms Mailbox can be upgraded with no delay. Scored yellow: a 24h Timelock exists for the governance channel but the ProxyAdmin direct path has no enforced delay. RD-F-041 yellow Rescue/emergencyWithdraw without timelock No rescue() / emergencyWithdraw() / sweep() function found in Mailbox.sol or HypERC20Collateral.sol source. However, the ProxyAdmin v1 direct upgrade path (3-of-6 Safe, no enforced Timelock) means any admin action including implementation replacement can be executed without delay. Scored yellow: absence of explicit rescue function is positive, but no effective delay on the ProxyAdmin upgrade path. RD-F-042 yellow Admin has mint() with unlimited max U18 PARTIALLY RESOLVED. HYPER token implementation (0x6eA7A6aE...) has mint(address,uint256) callable by MINTER_ROLE with no supply cap. The HYPER token's DEFAULT_ADMIN_ROLE was transferred from deployer EOA to an OZ AccessManager contract (0x3D079E977d644c914a344Dcb5Ba54dB243Cc4863). The AccessManager has a TimelockController (0xfA842f02439Af6d91d7D44525956F9E5e00e339f) as its admin (roleId=0) and two Safe-type contracts as role holders with 7-day and 30-day execution delays (0xec2EdC01a2Fbade68dBcc80947F43a5B408cC3A0 = Safe 1.4.1; 0xE8055e2763DcbA5a88B1278514312d7C04f0473D = Safe 1.4.1). The deployer EOA renounced DEFAULT_ADMIN_ROLE on the HYPER token on 2025-04-19. The minting authorization chain is: MINTER_ROLE on token → governed by AccessManager → admin is a TimelockController → proposers are Safes with multi-day delays. This is sophisticated access-controlled architecture, not a bare-EOA minter. MINTER_ROLE holder at the contract level not individually confirmed (AccessManager m RD-F-029 gray Multisig signers co-hosted Multiple Safes with 6-19 signers total across three key Safes. No signer identity or infrastructure OSINT performed. Cannot confirm co-hosting. RD-F-034 gray Guardian/pause-keeper distinct from upgrader Mailbox.sol has no PAUSER_ROLE or guardian role. No pause/emergency-stop mechanism identified. No distinct guardian address found in on-chain reads or documentation. RD-F-036 n/a Flash-loanable voting weight No on-chain Governor contract exists (data cache: governor_address=null, governance.type=multisig_only). HYPER token staking via Symbiotic provides cryptoeconomic validator incentives, not flash-loanable voting weight in a Beanstalk-style on-chain governance sense. No Tally/Compound Governor found. RD-F-037 n/a Quorum achievable via single-entity flash loan No on-chain Governor exists. Multisig-only governance model. Flash-loan quorum attack not applicable. RD-F-039 n/a delegatecall/call in proposal execution without allowlist No on-chain Governor or proposal execution contract. Multisig directly calls contract functions. No proposal-payload delegatecall execution path exists. RD-F-040 gray Emergency-veto multisig present No on-chain Governor exists. No veto/cancel mechanism in multisig-only governance. Safe transactions can be revoked pre-execution only by the signing threshold. No distinct emergency-veto multisig identified. RD-F-044 gray Admin wallet interacts with flagged addresses Admin wallet flagged-address check deferred to dev-identity-analyst (Cat 7). Deployer EOA 0xa7ECcdb9... is a Safe signer; no cluster feed check performed in this session. RD-F-047 gray Governance token concentration (Gini) HYPER token holder Gini coefficient not assessed. HYPER launched April 2025 via airdrop. Total supply 600.77M; circulating 338.17M; 11,353 holders as of 2026-05-17. No on-chain Gini scan performed.
RD-F-031 green Signer rotation recency Timelock at 0xBE8B8dc0510F80f0Dfb805302c1A60DaEE8f3434 shows role management events on 2025-07-18 (2 RoleRevoked, 1 RoleGranted) associated with its own creation — no threshold-reduction pattern identified. Timelock was deployed 2025-07-18 (block 22949258). No threshold reduction within 14 days of timelock removal pattern found.
RD-F-043 green Admin = deployer EOA after 7 days ProxyAdmin v1 shows transferOwnership tx on Dec 26 2022 (deploy day) to Safe 0x12C5AB61 (3-of-6). Protocol has been live 29 months. ProxyAdmin v2 deployed 2026-02-25 indicates active governance management. Deployer EOA is not the current effective admin of any core contract.
RD-F-045 green Constructor args match governance proposal No governance proposal exists for original Mailbox v3 deploy (no forum/Snapshot found). Constructor args visible on Etherscan (impl=0x7b4D88..., admin=ProxyAdmin v1) match the protocol documented architecture. No material deviation noted.
RD-F-046 green Contract unverified on Etherscan/Sourcify Ethereum Mailbox v3 proxy and implementation source-verified on Etherscan. BSC Mailbox source verified on BscScan. Solidity 0.8.19 with 999,999 optimizer runs. Core EVM contracts are source-verified.
RD-F-167 green Deprecated contract paused but pause reversible by live admin No deprecated contracts with active admin-reversible pause identified. ProxyAdmin v1 controls the live v3 Mailbox (not deprecated). Abacus v1-era contracts are deprecated but no active pause or admin scope over them identified.
Oracle & external dependencies Green 18 17 of 17
RD-F-049 yellow Oracle role per asset For core message delivery: no oracle used (N/A). For ERC4626 Warp Routes: Chainlink feeds serve as exchange-rate reference for cross-chain share accounting (secondary role, not message security). For IGP: StorageGasOracle serves as gas-price reference. Precise per-route Chainlink feed assignment not confirmed from primary source. RD-F-050 yellow Dependency graph (protocols depended upon) Key dependencies: (1) Abacus Works validator set — existential for message security; (2) OZ v4.9.3 ECDSA library used in ISM signature verification; (3) ERC4626 vault contracts (immutable per deployment) for yield-bearing Warp Routes; (4) Symbiotic vaults for HYPER staking economic security. Break scenarios documented: validator compromise drains all collateral; vault insolvency (GitHub #8589) breaks ERC4626 Warp Route accounting. RD-F-051 yellow Fallback behavior on oracle failure Core ISM has no oracle to fail. IGP StorageGasOracle has no fallback — stale rates affect gas estimates but not message validity. ERC4626 Warp Routes have no explicit fallback on vault failure; the vault address is set at construction with no admin-replaceable wrapper; redeployment is required if the vault becomes insolvent. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) Validator set compromise at threshold: all Warp Route collateral drained in one forged-message transaction — Mailbox has no rate-limiter. (2) StorageGasOracle stale rates: users overpay/underpay gas; message validity unaffected; team must correct manually. (3) ERC4626 vault insolvency (GitHub #8589, April 2026): HypERC4626Collateral locked collateral cannot be fully redeemed; economic loss to bridge users; no automated recovery. (4) OZ ECDSA library bug: would allow forged signatures — OZ 4.9.3 has no known critical ecrecover bug. (5) Symbiotic vault bug: undermines slashing guarantees; no immediate fund-loss in messaging path. RD-F-057 yellow Circuit breaker on price deviation No price-derived oracle in the security-critical path. The Mailbox has no circuit breaker on message volume or value. TokenRouter source confirms no RateLimited or pause modifier. The IGP does not have a circuit breaker on gas price deviation. Absence of a rate-limiter is a meaningful gap for a $132M bridge — this is a positive-mitigant gap (F185 relevant). RD-F-059 yellow Oracle staleness check present StorageGasOracle has no staleness check — exchange rate data is set manually by owner with no timestamp guard. For Chainlink feeds in ERC4626 Warp Routes, staleness check implementation not confirmed from primary source in this session. The ERC4626 collateral contract uses vault.convertToAssets() without a confirmed Chainlink latestRoundData staleness guard. RD-F-062 yellow External keeper/relayer not redundant Hyperlane off-chain relayer network is Abacus Works operated for default routes. The Mailbox.process() call is permissionless (anyone can submit), but the primary relayer infrastructure is centralized. IGP StorageGasOracle updates are owner-only (no keeper). No Chainlink Automation or Gelato dependency found in core path. Relayer centralization is a liveness risk but not a fund-loss risk (permissionless process() allows self-relay as fallback). RD-F-180 yellow Immutable oracle address [★ CRITICAL CANDIDATE — PD-017 held; compose counts it] Core Mailbox ISM path has no oracle and is unaffected. For yield-bearing Warp Routes using HypERC4626Collateral: vault address is set at construction with no admin-replaceable wrapper observable in source — immutable at the Warp Route level. If underlying ERC4626 vault becomes insolvent, the Warp Route cannot redirect to a new vault without redeployment. April 2026 ERC4626 insolvency disclosure (GitHub #8589) makes this directly material as a dependency-breakage vector. Scored yellow (not red) because: (a) it is a collateral-vault, not a Chainlink aggregator in the message-security critical path; (b) Warp Routes can be redeployed (unlike immutable lending oracle adapters); (c) failure mode is vault insolvency, distinct from the USR/USDX/xUSD spot-price manipulation class. FLAG FOR PD-017 POST-LAUNCH PROMOTION REVIEW. RD-F-060 gray Chainlink aggregator min/max bound misconfig The 19 Chainlink feeds in the data cache are standard well-known pairs (ETH/USD, BTC/USD, USDC/USD, USDT/USD, LINK/USD, COMP/USD, UNI/USD, AVAX/USD) on Ethereum mainnet. Specific min/max bound configurations for each feed were not individually verified via on-chain reads in this session. The feeds are not in the message-security path; they serve collateral-accounting context only. Primary on-chain aggregator min/max reads not performed. RD-F-181 n/a Permissionless-pool lending oracle Not a lending protocol. No permissionless pool oracle acceptance in any confirmed code path. Hyperlane's permissionless ISM architecture is about message verification (validator signatures), not token pricing from permissionless DEX pools. F181 (permissionless-pool lending oracle / isolation-tier config) is structurally inapplicable to a bridge protocol.
RD-F-048 green Oracle providers used Core Mailbox and MultisigISM verification paths use NO external price oracle. Gas pricing uses StorageGasOracle with owner-set values (no Chainlink call). 19 Chainlink feeds in data cache are associated with specific Warp Route ERC4626 collateral implementations, not the core message-security path. Confirmed by reading StorageGasOracle.sol (owner-only setRemoteGasData), Mailbox.sol process() (no oracle call), and HypERC20Collateral.sol (no oracle).
RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] No spot DEX pool oracle anywhere in the message-verification or Warp-Route value path. Core security is validator ECDSA signatures. StorageGasOracle uses manually-set values (not DEX pools). ERC4626 exchange rate from vault.convertToAssets() (not a DEX pool). 19 Chainlink feeds are push-based CLOG feeds (not DEX spot). F053 does not fire.
RD-F-054 green TWAP window duration No TWAP oracle in use anywhere in the core or Warp Route path. Chainlink feeds are push-based (deviation + heartbeat), not TWAP. Not applicable to messaging/bridge architecture where security is based on validator signatures.
RD-F-055 green Oracle pool depth (USD) No DEX pool oracle used in any confirmed code path. Chainlink feeds are not pool-depth-dependent in the traditional sense. Not applicable to this protocol architecture.
RD-F-056 green Single-pool oracle (no medianization) No DEX pool oracle used. Not applicable to this protocol architecture. Security is based on validator multi-signatures, not pool prices.
RD-F-058 green Max-deviation threshold (bps) No circuit breaker configured (per F057 finding). Max-deviation threshold factor is N/A in this context — no DEX-price-derived oracle in the security path. Greenish because absence of misconfigured threshold is not a risk; the risk is absence of any threshold (captured in F057).
RD-F-061 green LP token balanceOf used for pricing No LP token balanceOf pricing in any confirmed code path. ERC4626 exchange rate uses vault.convertToAssets() (not raw balanceOf). The standard ERC4626 convertToAssets() is based on total assets / total shares, which incorporates the vault's actual accounting — not a manipulable raw balanceOf.
Economic risk Yellow 20 13 of 13
RD-F-064 yellow TVL concentration (top-10 wallet share) BSC (BNB Chain) holds 61.63% of TVS ($81.77M); Ethereum holds 34.89% ($46.29M). Top 2 chains = 96.5% of total $132.67M TVS. Single-chain concentration of 61.6% on BSC is extreme for a multi-chain bridge — the entire BSC position is secured by a 4-of-6 validator threshold (Abacus Works, Zee Prime, Tessellated, Substance Labs, Luganodes, Enigma per Hyperlane default ISM docs). Per-wallet top-10 depositor share not retrievable (Dune Analytics 403; no programmatic fallback). Chain-level concentration alone warrants yellow. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) HypERC4626Collateral is a production Warp Route variant that deposits collateral into ERC-4626 yield-bearing vaults (introduced as Yield Routes; source: medium.com/hyperlane/introducing-yield-routes). GitHub issue #8589 (filed 2026-04-14, status OPEN as of 2026-05-17 — 33 days) discloses a 'critical' vulnerability described as 'ERC4626 vault insolvency during normal protocol operation' in HypERC20Collateral and HypNative, with 4 passing Foundry PoC tests against real contracts. The reporter could not locate a SECURITY.md or private disclosure channel. Whether the OZ ≥4.9 virtual-share offset pattern is implemented in HypERC4626Collateral is not confirmed from direct code inspection this session (requires code-security-analyst source read). Yellow: live unresolved ERC-4626 share-accounting vulnerability disclosure on a protocol with $132.7M TVS; explicit mention of 'insolvency' in the issue title; 33 days elapsed without public resolution. RD-F-075 yellow First-depositor / share-inflation guard Same evidence base as RD-F-074. Issue #8589 (OPEN, 2026-04-14) describes 'ERC4626 vault insolvency' with 4 Foundry PoCs in HypERC20Collateral and HypNative Warp Routes — both of which interact with ERC-4626 vault accounting when the HypERC4626Collateral variant is used. Whether a first-depositor seed deposit, virtual-share floor, or equivalent guard exists in deployed HypERC4626Collateral contracts is not confirmed from code inspection this session. The existence of a live critical disclosure with PoCs on ERC-4626 share accounting implies that share-inflation protection is either absent or bypassable in at least one code path. Yellow assigned on the same unresolved disclosure. RD-F-066 n/a Utilization rate (lending protocols) Hyperlane is a bridge protocol, not a lending protocol. No borrow/supply markets exist. data cache borrow.present=false. Per PD-024 taxonomy §Category 4 lending-only applicability, this factor is not_applicable for non-lending protocols. RD-F-067 n/a Historical bad-debt events Hyperlane is a bridge protocol with no lending markets. No bad debt events possible in the lending sense. Per PD-024 taxonomy §Category 4 lending-only applicability. RD-F-068 n/a Collateralization under stress Hyperlane is a bridge protocol, not a lending or CDP protocol. No collateralization ratio concept applies. Per PD-024 taxonomy §Category 4 lending-only applicability. RD-F-069 n/a Algorithmic / under-collateralized stablecoin Hyperlane is not a stablecoin protocol. HYPER is a utility/governance token, not an algorithmic stablecoin. Per PD-024 taxonomy §Category 4 lending-only applicability; also not applicable on protocol-type grounds. RD-F-070 n/a Empty cToken-style market (zero supply/borrow) Hyperlane is NOT a Compound V2 fork. It is an original interchain messaging protocol (fork lineage: none per profile §5). No cToken-style markets, no money markets. Per PD-024 and taxonomy §Category 4 'Compound-fork-only' applicability rule, RD-F-070 is not_applicable for bridge protocols. The ★ critical penalty does not apply. RD-F-071 n/a Seed-deposit requirement for new market listing Not a lending protocol. No market-listing mechanism requiring a seed deposit. Warp Routes are permissionless bridge deployments, not lending markets. Per PD-024 taxonomy §Category 4 lending-only applicability. RD-F-072 n/a Market-listing governance threshold Not a lending protocol. No lending market-listing governance threshold. Warp Route deployment is permissionless (any deployer can launch). Per PD-024 taxonomy §Category 4 lending-only applicability. Bridge permissionlessness is a distinct bridge-risk factor assessed under Cat 10. RD-F-073 n/a Oracle-manipulation-proof borrow cap Not a lending protocol. No borrow cap mechanism. Per PD-024 taxonomy §Category 4 lending-only applicability.
RD-F-063 green TVL (current + 30d trend) Current TVL $132.67M as of 2026-05-16 (DefiLlama API). 30-day change +22.94%. 90-day daily series shows trough ~$90.5M in late March 2026, peak $145.1M on 2026-05-10, current $132.7M — net upward trend over the window. TVL represents Warp Route locked collateral (lock-and-mint bridge model). No anomalous cliff drops in the daily series.
RD-F-065 green Liquidity depth per major asset Hyperlane is a bridge protocol using a lock-and-mint model (HypERC20Collateral, HypNative). There is no AMM/DEX liquidity pool; the 2%/5% slippage depth metric does not apply in the traditional DEX sense. The $132.67M locked collateral is itself the available withdrawal liquidity in a 1:1 redemption model. No withdrawal rate limiting confirmed (flagged to oracle-dependency-analyst for F185). Assessed green — bridge model is 1:1 collateral-backed, not liquidity-dependent in the DEX sense.
Operational history Green 13 15 of 15
RD-F-089 red Insurance coverage active No active insurance coverage found for Hyperlane on Nexus Mutual, Sherlock, or Unslashed. Web search and Nexus Mutual blog search returned no Hyperlane-specific cover listing. For a $132M bridge with a live unresolved critical vulnerability disclosure, the absence of institutional cover is a material gap. Bridge protocols at this TVL are the primary target market for on-chain insurance; default red per methodology for bridges with no coverage. RD-F-088 yellow Re-deployed to new addresses in last year ProxyAdmin v2 (0x692e50577fAaBF10F824Dc8Ce581e3Af93785175) deployed 2025-02-25 — within trailing 12 months. This is a governance infrastructure redeploy (transferring admin to a Safe) rather than a full protocol retirement/redeploy of value-holding contracts. Warp Routes are permissionlessly deployed; new routes are a normal operational pattern, not emergency redeployment. Yellow: partial redeployment (governance infrastructure) with documented migration path, not a full contract set retirement. RD-F-081 gray Post-exploit response score No prior exploits — post-exploit response score not applicable. No post-mortem exists to evaluate. RD-F-082 gray Post-mortem published within 30 days No prior exploits — post-mortem timeliness not applicable. Derived from F077 = 0. RD-F-083 gray Auditor re-engaged after last exploit No prior exploits — re-audit after exploit not applicable. Derived from F077 = 0. RD-F-085 gray Incident response time (minutes) No prior exploits — incident response time not applicable. Derived from F077 = 0. RD-F-086 gray Pause activations (trailing 12 months) Hyperlane distributes across 150+ chains with per-route Warp Route collateral contracts and no single global pause mechanism confirmed. On-chain Paused/Unpaused event enumeration across all Warp Route contracts was not feasible in this session. No documented pause activations found in public sources. The April 2026 critical disclosure did NOT trigger a protocol pause. Curator must enumerate on-chain pause events on primary contracts (ETH Mailbox, BSC Mailbox, major HypERC20Collateral contracts) to score.
RD-F-076 green Protocol age (days) First confirmed on-chain deployment 2022-12-26 (ProxyAdmin 0x75EE15Ee1B4A75Fa3e2fDF5DF3253c25599cc659 on Ethereum). As of 2026-05-17: ~872 days live (~29 months). Threshold green = >=365 days. Protocol has operated through V1/V2/V3 transitions and multiple market cycles.
RD-F-077 green Prior exploit count 0 confirmed on-chain fund-loss exploits found. In-house hacksdatabase grep (hyperlane, abacus, warp route, nexus) returned 0 Hyperlane-specific entries. rekt.news leaderboard confirmed 0 entries. DeFiLlama hacks=[]. Data cache rekt.incidents=[]. April 2026 issue #8589 is a responsibly-disclosed vulnerability with no confirmed drain — not counted as an exploit.
RD-F-078 green Chronic-exploit flag (≥3 incidents) Derived from F077 = 0 incidents. Chronic flag (>=3 incidents) does not trigger.
RD-F-079 green Same-root-cause repeat exploit No incidents to evaluate for repeat root-cause pattern. Derived from F077 = 0.
RD-F-080 green Days since last exploit No prior exploits. Threshold green = no incidents or >365 days since last. Derived from F077 = 0.
RD-F-084 green TVL stability (CoV over 90d) Daily TVL time-series from data cache covers ~90 days (2025-11-26 to 2026-05-17; 80+ data points). TVL ranged $91.6M–$145.1M with approximate mean ~$110M, net upward trend. Manual CoV approximation ~0.14, within green threshold (<0.15). Threshold: green = CoV <0.15; yellow = 0.15–0.35; red = >0.35.
RD-F-087 green Pause > 7 consecutive days No documented pause events in the last 12 months. The April 2026 critical vulnerability disclosure (issue #8589) did not trigger a protocol pause — Hyperlane Explorer confirms the protocol remains active. Data cache GitHub last commit 2026-05-15 confirms ongoing active development and no shutdown. No evidence of any pause >7 consecutive days.
RD-F-166 green Deprecated contracts still holding value No protocol-announced deprecated contracts with >$100K residual TVL identified. The $132.67M TVL resides in active V3 Warp Route collateral contracts. V1/V2 Mailbox contracts are superseded but not officially announced as 'deprecated with stuck user funds.' The hyperlane-deploy tooling repo is deprecated but holds no user value. No stale-approval surface on a formally deprecated router confirmed.
Real-time signals Green 11 22 of 22
RD-F-090 yellow Mixer withdrawal → protocol interaction Hyperlane Warp Routes are permissionless — no whitelist prevents mixer-funded wallets from bridging. Deployer EOA 0xa7ECcdb9... is KuCoin-funded (clean, no mixer interactions detected per Etherscan). No confirmed mixer-funded wallet interaction with protocol core contracts identified via public sources. Yellow because the permissionless bridge architecture makes this signal permanently elevated: any Tornado Cash (sanctions lifted March 2025) or Railgun user can bridge through Warp Routes without protocol-level blocking. T-09 phase-2 signal requiring Chainalysis/TRM feed for live confirmation. RD-F-106 yellow Cross-chain bridge unverified mint pattern Hyperlane's permissionless ISM architecture allows Warp Route operators to configure 1-of-1 or self-controlled ISMs — structurally enabling a mint-without-adequate-proof scenario for improperly configured routes. The open unpatched critical GitHub issue #8589 (ERC4626 vault insolvency in HypERC20Collateral/HypNative, filed 2026-04-14, still OPEN as of 2026-05-17) elevates this posture: the vulnerability causes collateral insolvency during normal protocol operation — analogous to a mint-without-adequate-backing scenario. No confirmed exploit of this pattern has occurred. Yellow: applicable, elevated posture due to open unpatched critical, no active fire confirmed. RD-F-182 yellow Security-Council threshold reduction (RT) RD-F-182 monitors for Security Council multisig threshold reductions, timelock removals, or new-signer additions. Hyperlane's Upgrade Timelock (0xBE8B8dc0...) was deployed with getMinDelay()=0 seconds per profile — structurally equivalent to a timelock removal (the timelock provides zero delay protection). This zero-delay Timelock is a static finding from deploy time, not a new real-time event — so the signal would not fire as a real-time alert TODAY. However, the posture is yellow: if either Safe multisig had a threshold reduction (e.g., Core Governance 6-of-10 reduced to 4-of-10, or Operations Multisig 4-of-9 reduced to 3-of-9), RD-F-182 would fire immediately given the existing zero-delay timelock background condition. RD-F-091 gray Partial-drain test transactions No partial-drain test transaction pattern detected in the 90-day TVL data. The EVM Mailbox is observable for this signal but live mempool monitoring with pattern matching is not available in static T-10 assessment. TVL data shows no anomalous small-value drain events. T-09 phase-2 signal not in the v1 production shortlist. RD-F-092 gray Unusual mempool pattern from deployer wallet Deployer EOA 0xa7ECcdb9... has 8,711 total transactions. No unusual mempool pattern (new contract deploys, unusual approval sequences) detected via public sources. T-09 phase-2 signal requiring live mempool listener which is not available in static assessment. RD-F-093 n/a Abnormal gas-price willingness from attacker wallet Hyperlane has no on-chain Governor contract (governance.governor_address=null per data cache). The 5x-gas-race precursor signal applies when attackers front-run flash-loan governance attacks or oracle manipulation in protocols with on-chain voting. Hyperlane's multisig-only governance and absence of a lending/borrowing surface means this specific signal trigger does not exist in the protocol's architecture. RD-F-094 gray New contract with similar bytecode to exploit template No new contract deployment detected with bytecode similarity to Hyperlane Mailbox or ISM contracts as of assessment date. The open unpatched critical ERC4626 vulnerability (GitHub issue #8589, filed 2026-04-14, still open 2026-05-17) means a PoC exists in a researcher's possession — but no public exploit-template contract deployment confirmed. T-09 phase-2 signal requiring on-chain deploy sweep. RD-F-095 gray Known-exploit function-selector replay No known-exploit-template selector replay pattern detected targeting Hyperlane Mailbox or Warp Route contracts. The ERC4626 vault insolvency bug (issue #8589) is a novel vulnerability class with no prior replay pattern. T-09 phase-2 signal requiring mempool plus transaction history monitoring. RD-F-096 gray New ERC-20 approval to unverified contract from whale Not directly observable in static assessment. Requires live mempool monitoring of high-TVL user wallets granting approvals to unverified contracts interacting with Hyperlane Warp Routes. No public evidence of such approvals. T-09 phase-2 signal. RD-F-097 gray Sybil surge of identical-pattern transactions No sybil surge of identical-pattern transactions detected in available data. Warp Routes require actual token holdings to bridge, limiting sybil risk compared to permissionless lending protocols. T-09 v2/deferred signal. RD-F-100 n/a Flash loan >$10M targeting protocol tokens Hyperlane has no on-chain Governor contract (governance.governor_address=null) and no lending/borrowing surface (borrow.present=false per data cache). Flash loans cannot attack Hyperlane governance (no Governor exists) or create an exploitable oracle/governance manipulation loop. The open ERC4626 insolvency vulnerability (issue #8589) operates via normal protocol interaction, not via flash loan. Not applicable in the standard flash-loan-attacks-protocol framing. RD-F-101 n/a Large governance proposal queued Hyperlane has NO on-chain DAO Governor contract (governance.governor_address=null per data cache). HYPER token launched April 2025 but no on-chain Governor or Tally contract confirmed. Symbiotic staking integration provides cryptoeconomic validator incentives only — not flash-loanable on-chain voting weight. Core Governance Safe (6-of-10) last transacted ~2026-04-03 (43 days ago); Operations Multisig last transacted ~2026-04-09 (37 days ago) — normal cadence. No on-chain ProposalCreated events to monitor. RD-F-107 gray Admin EOA signing from new geography/device Off-chain signing telemetry for admin wallet geography/device fingerprint is unavailable in static assessment. Requires MPC/session-key provider or hardware-wallet telemetry, which is proprietary and not publicly accessible. Deployer EOA 0xa7ECcdb9... is active (8,711 txs) but no geography analysis possible from on-chain data alone. RD-F-108 gray GitHub force-push to sensitive branch GitHub last commit 2026-05-15 per data cache — active development. No force-push events confirmed in public-accessible GitHub activity. Live GitHub API webhook monitoring for force-push events on hyperlane-xyz/hyperlane-monorepo main branch is not available in static assessment. T-09 phase-2 signal. RD-F-109 gray Social-media impersonation scam spike No documented spike in Discord/Telegram/X impersonation accounts targeting Hyperlane as of assessment date. HYPER token launch April 2025 may have attracted impersonation activity. Social-media monitoring feed required for live signal. Data gap: requires social-listening vendor subscription. RD-F-110 n/a Unusual pending/executed proposal ratio Hyperlane has no on-chain Governor contract (governance.governor_address=null per data cache). No ProposalCreated or ProposalQueued events exist to monitor. Pending/executed proposal ratio is not a meaningful metric for a multisig-only governance topology. Not applicable.
RD-F-098 green TVL anomaly — % drop in <1h Current TVL $132.67M (+3.24% 1d, +22.94% 30d). 90-day TVL data shows upward trend from ~$90.5M low to $145.1M peak. No anomalous drop detected. The T-09 v1 threshold (TVL_now / TVL_baseline_30d < 0.70 over 60-minute window) is not met. Secondary partial-drain precursor condition not met. Sector-wide correlation suppression not applicable. Would NOT fire today.
RD-F-099 green Oracle price deviation >X% from secondary 19 Chainlink oracle feeds in data cache covering ETH/USD, USDT/USD, USDC/USD, BTC/USD, LINK/USD, COMP/USD, AVAX/USD, UNI/USD. ETH/USD feed 0x5f4eC3Df... (1h heartbeat, 0.5% deviation), USDC/USD 0x8fFfFfd4... (82800s heartbeat, 0.25% deviation), USDT/USD 0x3E7d1eAB... (86400s heartbeat, 0.25% deviation). No deviation anomalies detected on any feed. T-09 phase-2 signal — not in v1 production shortlist. Would not fire today.
RD-F-102 green Admin/upgrade transaction in mempool No admin or upgrade transaction detected in mempool targeting Mailbox v3 (0xc005dc82...) or ProxyAdmin contracts (0x75EE..., 0x692e...) as of 2026-05-17. Most recent ops-multisig activity was 2026-04-09 (37 days ago) — normal operational cadence. T-09 phase-2 signal — not in v1 production shortlist. Would not fire today based on available evidence.
RD-F-103 green Bridge signer-set change proposed/executed Hyperlane IS a bridge. Default ISM validator set on Ethereum is a 6-of-9 multisig configuration per docs (Abacus Works, Kiln, Everstake, Renzo, P2P, ZKV, Citadel.one, Forbole, Luganodes). No unscheduled ISM validator-set or threshold change events detected as of 2026-05-17. Core Governance Safe last transacted 2026-04-03. No bridge signer-set change found. Would NOT fire today.
RD-F-104 green Stablecoin depeg >2% on shared-LP venue Chainlink USDT/USD (0x3E7d1eAB..., 86400s heartbeat, 0.25% deviation) and USDC/USD (0x8fFfFfd4..., 82800s heartbeat, 0.25% deviation) feeds show no depeg as of 2026-05-17. Both USDT and USDC at peg. Hyperlane Warp Routes carry stablecoin collateral on BSC (61.6% TVS) and Ethereum (34.9% TVS) routes. No sustained 2%+ deviation on ≥2 venues detected. Would NOT fire today.
RD-F-105 green DNS/CDN/frontend hash drift hyperlane.xyz, app.hyperlane.xyz, nexus.hyperlane.xyz, docs.hyperlane.xyz are production frontends. No DNS change, SSL certificate issuer change, or frontend JS bundle hash drift detected in available public sources. No documented frontend compromise or DNS hijack in protocol history. T-09 phase-2 signal — not in v1 production shortlist. Would NOT fire today based on available evidence.
Dev identity & insider risk Green 9 16 of 16
RD-F-116 yellow Contributor tenure at admin-permissioned PR Named GitHub public members tkporter (Trevor Porter) and yorhodes (Yorke Rhodes) are founding engineers with Celo backgrounds predating Hyperlane by 2022 — tenure is 3+ years at time of any 2025 admin-permissioned change. However, the specific author of the most recent admin-permissioned PR (e.g., ProxyAdmin v2 transfer, 2025-02-25) was not individually verified in this session. Yellow reflects partial evidence: founding engineers have strong tenure, but specific most-recent-admin-PR author not confirmed. RD-F-117 yellow ENS/NameStone identity bound to deployer Deployer EOA 0xa7ECcdb9Be08178f896c26b7BbD8C3D4E844d9Ba has NO ENS name bound per Etherscan review — the address page shows no ENS label. The ENS name 'hyperlanexyz.eth' resolves to a different address (0x5b73A98165778BCCE72979B4EE3faCdb31728b8E), which is one of the Operations Multisig Safe signers, not the deployer EOA itself. An ENS-bound team identity does exist for one multisig signer but not for the primary deployer, yielding yellow rather than red (team is publicly doxxed by other means). RD-F-119 yellow Commit timezone consistent with stated geography Hyperlane is stated as NYC-based (seed announcement). Devcon 2024 presence (Bangkok) and prior conference participation are consistent with US/international timezone. No tz-anomaly flag found by independent research. Commit-hour distribution was not individually analyzed in this session — yellow assigned conservatively for absence of direct analysis rather than evidence of anomaly. No DPRK-tz flag suspected given full team doxxing. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Two events assessed. (a) ProxyAdmin v2 (0x692e50577) deployed 2025-02-25 with post-deploy ownership transfer — no dedicated public GitHub issue, PR, or forum post discussing this specific ownership migration found. Transfer direction is safety-improving (bare EOA -> multisig) but undiscussed publicly. (b) Issue #8589 (April 14, 2026): critical Warp Route vulnerability reported via public GitHub issue; reporter noted no SECURITY.md, security email, or GitHub private advisory enabled; tagged @yorhodes and @tkporter; as of 2026-05-17 issue remains OPEN with no visible team response, no labels, no assignees — 33 days without acknowledgment. This is a disclosure-infrastructure failure and insider transparency gap, not a confirmed ACL manipulation. No DPRK/OFAC nexus (routes to F123, not F125). Scored yellow: meaningful concern, not red absent confirmed malicious ACL change. RD-F-184 gray Real-capital social-engineering persona No curator-flagged 'team contributor' or 'external integrator' persona identified as having made >=1M USD in attributed deposits to Hyperlane or peer protocols as a social-engineering setup. Issue #8589 reporter (handle 'bilinmeyenkarakter') is an external security researcher requesting disclosure, not a social-engineering insider persona. The Drift Protocol UNC4736 analogue pattern was not identified for Hyperlane. No adverse signals found in open-source OSINT. Factor definition specifies M-only curation with curator confidence required beyond on-chain trail; positive confirmation requires dedicated curator investigation. Gray assigned per collection methodology: only-OSINT without curator confirmation is insufficient for this factor.
RD-F-111 green Team doxx status Three co-founders (Jon Kol, Nam Chu Hoai, Asa Oines) are fully doxxed with real names, LinkedIn profiles, verified prior-employer histories (Galaxy Digital, cLabs/Celo, Google), investor-facing press coverage, and conference talk presence. Founding engineers Trevor Porter and Yorke Rhodes confirmed by name in fundraise announcement and as GitHub org public members. Unresolved: 7 of 10 Core Governance Safe signers and 6 of 9 Operations Multisig signers not individually identified.
RD-F-112 green Team public accountability surface Jon Kol: Galaxy Digital MD (public LinkedIn+press), conference speaker Devcon 2024, Encode Club AMA, Fortune/CoinDesk quoted, UC Berkeley/Morgan Stanley/IDF verifiable. Asa Oines: Celo founding engineer (public), cLabs alum, Google background. Nam Chu Hoai: Celo engineer, LinkedIn public, Wellfound listed. Investors (Variant, Galaxy Ventures, CoinFund, Circle) add further accountability surface. Multiple verifiable public trails per co-founder.
RD-F-113 green Team other-protocol involvement history Jon Kol: ex-Galaxy Digital (invested in Radicle, ChaosLabs, 1inch, Terra; no adverse protocol role). Asa Oines: Celo/cLabs founding engineer only prior protocol role. Nam Chu Hoai: co-founded Credport (2012, non-DeFi) and Celo engineering; no prior rug affiliations. No team member linked to a prior rug or exit-scam-labeled protocol. Unresolved Safe signers not assessed but named team core is clean.
RD-F-114 green Deployer address prior on-chain history Deployer EOA 0xa7ECcdb9Be08178f896c26b7BbD8C3D4E844d9Ba has 8,711 transactions; funded approximately June 2022 (~3 yrs 335 days before 2026-05-17). First confirmed deploy anchor is 2022-12-26 (ProxyAdmin v1). Pattern is an active development EOA with multi-year history — not a fresh wallet created for a rug. No Rekt database entry for this deployer. No rug-deployer cross-reference hit found.
RD-F-115 green Prior rug/exit-scam affiliation Targeted web search for 'Hyperlane rug exit scam fraud developer team' returned only generic rug-pull educational articles — no Hyperlane-specific adverse results. No team member linked via verified OSINT to a prior rug or exit-scam-labeled protocol. Rekt database shows no incidents. Founding team all have verifiable prior-employer histories (Galaxy Digital, cLabs, Google) inconsistent with rug-deployer class.
RD-F-118 green Handle reuse across failed/rugged projects No evidence of Twitter/Discord/GitHub handle reuse across prior failed or rugged projects. Abacus Network Twitter handle (@abacus_network) dates to May 2022 and transitions to Hyperlane branding — a consistent brand evolution, not an alias change after a rug. No named founder has a documented handle-reuse pattern across adverse projects.
RD-F-120 green Video-off/voice-consistency flag Jon Kol has appeared in recorded AMAs (Encode Club) and is quoted in written press (Fortune, CoinDesk, The Block). Devcon 2024 panel confirms Hyperlane co-founder/team member public video/audio presence. Asa Oines and Nam Chu Hoai confirmed at prior Celo/cLabs public events. No 'video-off' or voice-consistency concerns documented in any public source. No curator-observed live inconsistency (M-only confidence limitation acknowledged).
RD-F-121 green Contributor OSINT depth score Jon Kol: 5/5 (LinkedIn, news coverage, GitHub, AMA recordings, conference talks, CypherHunter/RootData profiles). Asa Oines: 4/5 (LinkedIn, CoinDesk, Celo founding-engineer public record). Nam Chu Hoai: 4/5 (LinkedIn, The Org, Wellfound, Celo record). Porter/Rhodes: 3/5 (GitHub public membership, founding-engineer named in press). Unresolved Safe signers: 0/5. Named founding team scores 4-5/5 on OSINT depth; overall green given team core accountability.
RD-F-122 green Contributor paid to DPRK-cluster wallet Deployer EOA 0xa7ECcdb9 funded by KuCoin 10 (CEX, 1-hop, not DPRK-labeled). No Chainalysis or Arkham public report found flagging any Hyperlane contributor wallet in a DPRK cluster within 3 hops. Targeted search 'Hyperlane Tornado Cash Lazarus OFAC sanctions' returned no team-connection results. Note: this factor covers payroll-to-wallet routing; Hyperlane as passive bridge venue for DPRK fund movement does not satisfy this factor per U4.
RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer EOA 0xa7ECcdb9 was funded by KuCoin 10 (Etherscan label). Funding occurred approximately June 2022, approximately 200 days before the first confirmed on-chain deployment (2022-12-26 ProxyAdmin v1). This is well outside the 30-day window defined by RD-F-124. No Tornado Cash or Railgun interactions observed anywhere in the funding trail. KuCoin 10 is a labeled centralized-exchange withdrawal address. Finding: CLEAN.
RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK/Lazarus cluster proximity found for deployer EOA 0xa7ECcdb9 or any named principal. Deployer funded by KuCoin 10 at 1-hop (CEX, not DPRK-labeled). OFAC SDN search returned no hits for Jon Kol, Asa Oines, or Nam Chu Hoai. Targeted search 'Hyperlane Abacus Works Jon Kol Asa Oines DPRK Lazarus North Korea' returned zero results. All named principals have verified prior-employer histories (Galaxy Digital, cLabs/Celo, Google) inconsistent with DPRK actor profile. No Chainalysis-published cluster report flagging any Hyperlane wallet. Hyperlane as passive bridge venue for DPRK fund movement does NOT contaminate F125 per U4 — route any such finding to Cat 11. No DPRK escalation required.
Fork / dependency lineage Green 0 10 of 10
RD-F-126 n/a Is-a-fork-of Hyperlane (fka Abacus Network) is an original interchain messaging protocol. The monorepo contains original Solidity, Rust, TypeScript, CosmWasm, and Starknet Cairo code with no upstream fork relationship. Profile §5 explicitly confirms: 'Not forked / original.' RD-F-127 n/a Upstream patch not merged Hyperlane has no upstream fork; upstream patch merge question is moot. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream fork; upstream vulnerability disclosure question is moot. RD-F-129 n/a Code divergence from upstream (%) No upstream fork; code divergence from upstream is moot — no baseline to diff against. RD-F-130 n/a Fork depth (generations from original audit) No upstream fork; fork depth is not applicable — Hyperlane is the original protocol. RD-F-131 n/a Fork retains upstream audit coverage No upstream fork; upstream audit retention question is moot. Hyperlane has its own direct audit coverage assessed under Cat 1. RD-F-132 n/a Fork has different economic parameters than upstream No upstream fork; economic parameter divergence from upstream is moot.
RD-F-133 green Dependency manifest uses unpinned versions All 9 remappings in remappings.txt use fixed version pinning with no wildcards: @openzeppelin/contracts v4.9.3, @openzeppelin/contracts-upgradeable v4.9.3, @arbitrum/nitro-contracts v1.2.1, @chainlink/contracts-ccip v1.5.0, @eth-optimism/contracts v0.6.0, @predicate/ v2.2.2, forge-std/ v1.9.2, ds-test/ v1.9.2, permit2/ v1.0.0. No unpinned critical libraries. Score: green.
RD-F-134 green Dependency had malicious-release incident (last 90d) No malicious-release advisory found for OZ 4.9.3, forge-std 1.9.2, or other pinned Hyperlane dependencies in the trailing 90 days. OZ 4.9.3 is a stable, long-established version with no active malicious-release flag. Score: green.
RD-F-135 green Shared-library version with known-vuln status OpenZeppelin 4.9.3 — pinned. As of 2026-05-17, OZ 4.9.3 has no active high/critical GHSA advisory affecting contracts used by Hyperlane (Initializable, OwnableUpgradeable, ECDSA, SafeERC20, TransparentUpgradeableProxy). Score: green.
Post-deploy hygiene & change mgmt Yellow 48 13 of 13
RD-F-139 red Post-audit code changes without re-audit GitHub issue #8589 (opened 2026-04-14) discloses a critical ERC4626 vault insolvency vulnerability in HypERC20Collateral / HypNative Warp Route contracts. Issue remains OPEN as of 2026-05-17 with no public team response and no confirmed patch PR. The most recent EVM audit was Trail of Bits 2023-11 (covering late-2023 code). Warp Route ERC4626 integration changes post-dating that audit appear unreviewed. No evidence of a re-audit. Textbook F139 post-audit-code-change-without-re-audit scenario. RD-F-143 red Reinitializable implementation (no _disableInitializers) Mailbox.sol constructor does NOT call _disableInitializers(). Constructor only sets immutable localDomain. The initialize() function uses the initializer modifier but only on the proxy side — the bare implementation contract is not locked. HypERC20Collateral.sol constructor also does not call _disableInitializers(). Any caller can initialize the unprotected implementation contract directly, enabling a proxy takeover scenario. RD-F-185 red Bridge rate-limiter / chain-pause as positive mitigant No per-window outflow rate-limiter found in Mailbox or Warp Route source. HypERC20Collateral.sol and HypNative have no rate-limit logic. The ISM architecture allows validators to cease attestation (liveness failure mode, not a rate limit). No chain-pause capability documented for Ethereum or BSC Mailbox. Absence of this mitigant is a negative finding for F185 — rated red given $132M TVS and the open ERC4626 vulnerability (GitHub issue #8589) providing a concrete attack path this mitigant would otherwise limit. RD-F-140 yellow Fix-merged-but-not-deployed gap Related to F139: no public patch PR for the ERC4626 vulnerability identified. The issue is open with no fix linked. Scored yellow (gap exists; no fix-merged-but-not-deployed scenario since no fix exists at all). RD-F-145 yellow Deployed bytecode reproducibility Etherscan source-verified (Solidity 0.8.19, 999,999 optimizer runs). No formal build-artifact reproducibility infrastructure found — data cache: foundry_toml_present=false, hardhat_config_present=false. Source is verifiable but formal reproducibility process not established. RD-F-146 yellow New contract deploys in last 30 days Permissionless Warp Route deployment model means new contracts deploy continuously. ProxyAdmin v2 deployed 80 days ago. Monorepo last commit 2026-05-15 indicates active development and likely recent deploys on the 150+ chain network. RD-F-168 yellow Stale-approval exposure on deprecated router Hyperlane evolved from Abacus v1 (Dec 2022) through v2 (Jan 2023) to v3 (Oct 2023). Users who approved deprecated v1/v2 Warp Route collateral contracts may have residual unrevoked approvals. No active allowance scan performed. No revoke-notice published for deprecated routes found. RD-F-136 gray Deployed bytecode matches signed release tag Hyperlane GitHub has no signed release-tag workflow identified. Data cache: changelog_present=false. No audits/ subdirectory in monorepo. Cannot verify signed-commit-to-deployed-bytecode match. RD-F-137 gray Upgrade frequency (per 90 days) ProxyAdmin v2 deployed 2026-02-25 (not a contract upgrade). No Upgraded events queried in this session. Data cache lacks upgrade event counts. Low upgrade cadence inferred but not measured. RD-F-138 gray Hot-patch deploys without timelock (last 30 days) Cannot assess without upgrade event log query. Timelock delay confirmed 24h (86400s) via U18 resolution. If all upgrades route through the Timelock, hot-patches are impossible. However, ProxyAdmin v1 direct path (3-of-6 Safe, no Timelock) could bypass this. No Upgraded events queried. RD-F-142 gray Storage-layout collision risk across upgrades Mailbox.sol inherits OwnableUpgradeable — standard OZ upgradeable pattern. No OZ upgrades plugin output available. Three major version jumps (Abacus v1 -> v2 -> Hyperlane v3) occurred without a public storage-layout verification report.
RD-F-141 green Test-mode parameters in deploy Mailbox.sol uses immutable localDomain set in constructor — production parameter, not test artifact. ProxyAdmin ownership transferred at launch (Dec 26 2022) to Safe (confirmed U18). No admin=deployer-EOA in current configuration. No infinite allowance or test oracle identified.
RD-F-144 green CREATE2 factory permits same-address redeploy No CREATE2 factory deployment identified for core Mailbox or Warp Routes. Mailbox v3 deployed via standard creation transaction.
Cross-chain & bridge Green 19 12 of 12
RD-F-148 yellow Bridge validator count (M) Default ISM validator sets: Ethereum 8 validators (6-of-8), BSC 6 validators (4-of-6), Arbitrum 5 (3-of-5), Base 5 (3-of-5). Named validators include Abacus Works plus DSRV, Zee Prime, Staked, Luganodes, Imperator, Mitosis, Substance Labs, Enigma, Tessellated. BSC holds 61.6% TVS ($81.8M) with only 6 validators. Permissionless app ISMs may have as few as 1 validator (documented systemic risk, not a Hyperlane protocol failure). Yellow for BSC concentration (6 validators protecting 61.6% TVS) and permissionless surface. RD-F-149 yellow Bridge validator threshold (k-of-M) Default ISM thresholds: ETH 6-of-8 (75%), BSC 4-of-6 (67%), Arbitrum 3-of-5 (60%), Base 3-of-5 (60%). These are adequate thresholds for a permissioned set. However, AbstractMultisigIsm.sol only enforces threshold > 0 — a threshold of 1 is accepted. Permissionless ISM architecture allows Warp Route operators to deploy 1-of-1 ISMs with no protocol-enforced minimum. This is documented Hyperlane design but creates systemic risk at the app-ISM layer. RD-F-154 yellow Default bytes32(0) acceptable as valid root [★ CRITICAL] YELLOW. AbstractMerkleRootMultisigIsm does not explicitly check for bytes32(0) as the merkle root — no require(root != bytes32(0)) guard found. However, this is NOT the Nomad pattern: Nomad's vulnerability was that bytes32(0) was pre-initialized as a proven root allowing any message to be processed without fresh signatures. Hyperlane requires: (1) fresh ECDSA signatures from threshold validators on each checkpoint, (2) the root is keccak256-incorporated into the digest, (3) a zero root produces a distinct non-zero digest requiring active validator signing. The structural Nomad flaw (pre-proven universal root) is absent. The hygiene gap is the missing explicit zero-root guard. ToB V3 audit finding on this point not extractable from binary PDF in this session. RD-F-156 yellow Bridge uses same key custody for >30% validators Named validator operators (Abacus Works, DSRV, Zee Prime, Staked, Luganodes, Imperator, Mitosis, Substance Labs, Enigma, Tessellated) are distinct legal entities. Abacus Works is one of 8 ETH validators and one of 6 BSC validators (12.5-16.7% per chain). By named-operator count, no single entity appears to control >30% of the validator set. However, actual key custody practices for each operator not verified from primary source in this session. Yellow for unverified custody practices. RD-F-157 yellow Bridge TVL per validator ratio BSC: $81.8M TVS / 6 validators = ~$13.6M per validator; compromise of 4 validators (threshold) controls $81.8M. Ethereum: $46.3M / 8 validators = ~$5.8M per validator; compromise of 6 controls $46.3M. Total: $132.67M / ~6 average validators per chain = ~$22M per validator-equivalent. High per-validator TVL for a bridge at this size. A compromised BSC threshold controls 61.6% of all TVS in one transaction. RD-F-150 gray Bridge validator co-hosting Named validator operators (Abacus Works, DSRV, Zee Prime, Staked, Luganodes, Imperator, Mitosis, Substance Labs, Enigma, Tessellated) are distinct legal entities and infrastructure providers. OSINT-grade infrastructure co-hosting analysis not performed in this session. Known operators are reputable validators in the wider ecosystem, reducing co-hosting probability but not eliminating it. RD-F-155 gray Bridge validator-set rotation recency Validator set rotation recency not confirmed from on-chain events in this session. SDK constants file shows validator set composition but not last rotation date. ValidatorAnnounce.sol contract exists in monorepo for tracking validator set changes. On-chain event log not queried in this session. RD-F-179 n/a LayerZero OFT DVN config (count, threshold, diversity) NOT APPLICABLE. Hyperlane is its own messaging layer and is NOT a LayerZero OApp. Data cache confirms layerzero.present=false. Profile §7 confirms no LayerZero bridge dependency. F179 applies only to LayerZero OFT integrations. Hyperlane uses its own Mailbox + ISM architecture, not LayerZero endpoints.
RD-F-147 green Protocol has bridge surface Yes — Hyperlane IS a cross-chain interchain messaging bridge. Mailbox contracts deployed on 150+ chains. Warp Routes hold $132.67M TVS per DefiLlama as of 2026-05-17. Profile explicitly confirms is_a_bridge=true, has_bridge_surface=true.
RD-F-151 green Bridge ecrecover checks result ≠ address(0) [★ CRITICAL] GREEN. AbstractMultisigIsm.sol uses ECDSA.recover() from OpenZeppelin 4.9.3 (confirmed via foundry.toml). OZ 4.9.x ECDSA.recover() calls tryRecover() internally; if ecrecover returns address(0), tryRecover() returns RecoverError.InvalidSignature, and _throwError() reverts with ECDSAInvalidSignature(). Zero-address explicitly rejected. Additionally, even if address(0) were silently returned, the validator-matching loop (_signer != _validators[_validatorIndex]) would exhaust all validators and revert with !threshold. Double protection against zero-address ecrecover.
RD-F-152 green Bridge binds message to srcChainId Yes. Mailbox verifies _message.destination() == localDomain (prevents cross-chain replay to wrong destination). CheckpointLib.digest() includes _message.origin() in the digest computation, binding signatures to origin chain. Message struct includes origin domain ID. Cross-chain replay structurally prevented.
RD-F-153 green Bridge tracks nonce-consumed mapping Yes. Mailbox maintains mapping(bytes32 messageId => Delivery delivery) internal deliveries. The delivered() function returns true if deliveries[_id].blockNumber > 0. The process() function requires delivered(_id) == false before execution. Nonces increment on dispatch (nonce += 1). Each message ID is unique incorporating nonce, origin, destination, sender, recipient, body. Replay protection is structurally sound.
Threat intelligence & recon Yellow 27 8 of 8
RD-F-158 yellow Known-threat-actor cluster has touched protocol Hyperlane Warp Routes are a permissionless cross-chain bridge — the same class of protocol used by Lazarus Group for laundering post-exploit (confirmed: LayerZero/Kelp DAO April 2026, $292M DPRK attribution). No confirmed threat-actor cluster touch on Hyperlane's specific contracts detected via public sources. Scoring is U4 PASSIVE-VENUE: bridges are common laundering routes — attacker bridging THROUGH Hyperlane is a passive venue risk, not team contamination. Yellow: elevated posture due to bridge-class being DPRK/Lazarus target class; no confirmed incident; T-09 phase-2 signal requiring Chainalysis/TRM live feed for confirmation. RD-F-161 yellow Protocol-impersonator domain registered (typosquat) hyperlane.xyz uses the .xyz TLD — a popular typosquatting domain space (11.1% of typosquatting domains use .xyz per Interisle 2025 Phishing Landscape report). Protocol registration date ~September 2022 (at $18.5M seed raise announcement). Assessment date 2026-05-17 = ~43 months post-registration — within normal ongoing monitoring window. No confirmed hyperlane.xyz typosquat domain registration found in WHOIS lookup (who.is returned no data for hyperlane.xyz — privacy shield active). Brand name Hyperlane is distinctive but .xyz TLD increases exposure. Yellow: typosquat risk elevated due to .xyz TLD; no confirmed active typosquat domain found; requires ongoing domain-monitoring feed. RD-F-162 yellow Known-exploit-template selector deployed by any address Open GitHub issue #8589 (filed 2026-04-14, OPEN as of 2026-05-17, 33 days elapsed) describes a critical ERC4626 vault insolvency bug in HypERC20Collateral and HypNative Warp Route contracts. The reporter confirms having 4 passing Foundry PoC tests against real contracts at $132.67M TVS. Technical details withheld pending private disclosure but the vulnerability class (ERC4626 vault insolvency during normal operation) is publicly known. A working exploit template exists in the researcher's possession. No evidence of exploit-template contract deployment found in public on-chain data. Yellow: PoC exists; exploit template in researcher's hands but not publicly deployed; active public disclosure window creates elevated risk. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Bridge-class protocols of this TVS tier (>$100M) face 30-78 day reconnaissance windows (USPD-style, per hack DB evidence). The open critical GitHub issue #8589 was filed 2026-04-14 — 33 days before this assessment (2026-05-17). If the vulnerability remains unpatched (no public patch evidence found), the protocol is at or near the critical reconnaissance window midpoint. A financially-motivated attacker who obtained the private disclosure details from the researcher (or independently discovered the same vulnerability) faces diminishing time pressure as the disclosure ages and risks going fully public. Yellow: reconnaissance window is at critical stage; no confirmed attacker reconnaissance detected but posture is elevated given open unpatched critical at 33 days. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) No mempool probe pattern (failing low-gas transactions from known threat-actor wallets to Hyperlane contracts) detected in available public data. Requires live mempool monitoring combined with a threat-actor wallet list (Chainalysis/TRM feed) — both unavailable in static assessment. RD-F-164 gray Leaked credential on paste/sentry site No leaked credential or Sentry/paste-site dump referencing Hyperlane infrastructure endpoints found in public sources. Data gap: requires paste-site monitoring feed (HaveIBeenPwned API, IntelX, BreachForums scraper — all require authenticated API access not available in static assessment). RD-F-165 gray Protocol social channel has scam-coordinator flag No confirmed scam-coordinator flagged in Hyperlane's Discord or Telegram channels as of assessment date. No channel infiltration documented in protocol history. Requires curator social watchlist monitoring — unavailable in static assessment.
RD-F-160 green GitHub malicious-dependency incident touching protocol deps GitHub last commit 2026-05-15; no malicious-release GitHub security advisory flags detected for Hyperlane's npm dependencies (package.json present per data cache). No known malicious release in the TypeScript SDK or Rust agents npm/cargo ecosystem detected as of 2026-05-17. Monorepo is public and actively maintained — any advisory would be publicly visible.
Tooling / compiler / AI Green 8 5 of 5
RD-F-170 yellow Solc version used (known-bug versions flagged) Two solc versions: (1) Deployed Mailbox (Ethereum + BSC): v0.8.19+commit.7dd6d404 — no known high/critical bugs. (2) Current foundry.toml build toolchain: solc 0.8.33, evm_version cancun. Etherscan solcbuginfo lists HIGH severity 'TransientStorageClearingHelperCollision' bug affecting 0.8.28–0.8.33 (fixed in 0.8.34). Hyperlane uses evm_version cancun enabling transient storage opcodes. New contracts deployed with 0.8.33 + cancun inherit this bug until upgrade to 0.8.34. Score: yellow (deployed production at 0.8.19 clean; build toolchain at 0.8.33 carries HIGH bug applicable to new cancun deploys). RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Hyperlane is an original protocol with no audited upstream bytecode to compare against. The bytecode-similarity-to-upstream factor is structurally moot for original codebases.
RD-F-172 green Repo shows AI-tool co-authorship in critical files GitHub search for 'co-authored-by AI Copilot' in hyperlane-xyz/hyperlane-monorepo returned 0 results as of 2026-05-17. No AI co-authorship metadata found in commit history for any files. Score: green.
RD-F-173 green Team self-disclosure of AI-generated Solidity No blog post, tweet, or documentation found disclosing AI-generated Solidity in production security-critical contracts. Searched Hyperlane blog, X (@hyperlane), GitHub. Score: green.
RD-F-174 green Dependency tree uses EOL Solidity version Deployed Mailbox: solc 0.8.19 — supported non-EOL version. Build toolchain: solc 0.8.33 — non-EOL (0.8.34 is latest stable but 0.8.33 is still in supported Solidity 0.8.x series). Score: green.
Response & disclosure hygiene Red 58 4 of 4
RD-F-176 red Disclosure SLA public No acknowledgment SLA published on Immunefi program page, no SECURITY.md with SLA, no Hyperlane doc page with response timeline. The April 2026 critical disclosure (issue #8589, opened 2026-04-14) received no documented team response for 33+ days, consistent with no SLA commitment in force. For a $132M bridge with an active critical disclosure, absence of published SLA is a red finding. RD-F-177 red Prior known-ignored disclosure April 2026 critical disclosure (issue #8589, opened 2026-04-14): ERC4626 insolvency bug in HypERC20Collateral / HypNative Warp Routes; 4 passing Foundry PoC tests; full root-cause analysis prepared. As of 2026-05-17 (33 days later): no Hyperlane team response visible on public GitHub issue; no GHSA/CVE filed; no merged PR addressing ERC4626 insolvency found in monorepo PR list (138 open, 1,427 closed). This is a live critical vulnerability with no publicly confirmed team response or patch on a $132M bridge. Caveat: private engagement may have occurred but is not visible. Score red pending curator verification of private engagement status. RD-F-175 yellow Disclosure channel exists Immunefi bug bounty program exists (live since 2023-01-10; $2.5M max payout; 222 assets in scope). However no SECURITY.md exists in the monorepo, no security contact email is published on docs.hyperlane.xyz, and the April 2026 critical disclosure (issue #8589) demonstrates that researchers cannot easily find the disclosure channel — the reporter posted to public GitHub issues because they could not find a secure channel. Yellow: channel exists but not adequately signposted.
RD-F-178 green CVE/GHSA advisory issued against protocol No CVE, GHSA, or equivalent public advisory issued against Hyperlane. GitHub security overview confirms 'No published security advisories.' The April 2026 disclosure remains a GitHub issue (not a formal advisory). NVD CVE search returned no Hyperlane results. Green on this factor means no formal advisory record exists (counterintuitively green: the factor scores the existence of a formal advisory, which when present indicates a publicly documented vulnerability).
rubric_version v1.7.0 graded_at 2026-05-16 23:03:59 factors 184 protocol hyperlane