★ Sudden admin-rescue/ACL change without discussion

Hyperlane's assessment for RD-F-123 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Two events assessed. (a) ProxyAdmin v2 (0x692e50577) deployed 2025-02-25 with post-deploy ownership transfer — no dedicated public GitHub issue, PR, or forum post discussing this specific ownership migration found. Transfer direction is safety-improving (bare EOA -> multisig) but undiscussed publicly. (b) Issue #8589 (April 14, 2026): critical Warp Route vulnerability reported via public GitHub issue; reporter noted no SECURITY.md, security email, or GitHub private advisory enabled; tagged @yorhodes and @tkporter; as of 2026-05-17 issue remains OPEN with no visible team response, no labels, no assignees — 33 days without acknowledgment. This is a disclosure-infrastructure failure and insider transparency gap, not a confirmed ACL manipulation. No DPRK/OFAC nexus (routes to F123, not F125). Scored yellow: meaningful concern, not red absent confirmed malicious ACL change.

Sources #

GitHub
Security: Critical vulnerability in warp route contracts — Issue #8589GitHub issue #8589 — critical Warp Route vulnerability; reporter notes absence of SECURITY.md/private advisory; no team response visible as of 2026-05-17retrieved 2026-05-17
Etherscan
Hyperlane ProxyAdmin v2 — EtherscanProxyAdmin v2 0x692e50577fAaBF10F824Dc8Ce581e3Af93785175 — deployed 2025-02-25 with post-deploy ownership transfer; no corresponding public governance discussion foundretrieved 2026-05-17

Methodology #

Determine whether any admin-rescue function or ACL change was committed to the repo or executed on-chain without corresponding public discussion in issues, PRs, or governance forum.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-123 score yellow collected_at 2026-05-16 23:03:56