ERC-4626 virtual-share offset (OZ ≥4.9)
Hyperlane's assessment for RD-F-074 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
HypERC4626Collateral is a production Warp Route variant that deposits collateral into ERC-4626 yield-bearing vaults (introduced as Yield Routes; source: medium.com/hyperlane/introducing-yield-routes). GitHub issue #8589 (filed 2026-04-14, status OPEN as of 2026-05-17 — 33 days) discloses a 'critical' vulnerability described as 'ERC4626 vault insolvency during normal protocol operation' in HypERC20Collateral and HypNative, with 4 passing Foundry PoC tests against real contracts. The reporter could not locate a SECURITY.md or private disclosure channel. Whether the OZ ≥4.9 virtual-share offset pattern is implemented in HypERC4626Collateral is not confirmed from direct code inspection this session (requires code-security-analyst source read). Yellow: live unresolved ERC-4626 share-accounting vulnerability disclosure on a protocol with $132.7M TVS; explicit mention of 'insolvency' in the issue title; 33 days elapsed without public resolution.
Sources #
- GitHubHyperlane monorepo — Issue #8589Issue #8589 — Security: Critical vulnerability in warp route contracts, ERC4626 vault insolvency, filed 2026-04-14, OPENretrieved 2026-05-17
- Hyperlane Warp Routes: TypesHyperlane Warp Routes types — HypERC4626Collateral descriptionretrieved 2026-05-17
- Introducing Yield Routes — Hyperlane MediumHyperlane — Introducing Yield Routes (ERC-4626 warp route launch announcement)retrieved 2026-05-17
Methodology #
Determine whether ERC-4626 vaults use OpenZeppelin ≥4.9 virtual-share offset pattern to prevent first-depositor share-inflation.
See the full factor methodology and distribution across all protocols →