★ Post-audit code changes without re-audit

Hyperlane's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub issue #8589 (opened 2026-04-14) discloses a critical ERC4626 vault insolvency vulnerability in HypERC20Collateral / HypNative Warp Route contracts. Issue remains OPEN as of 2026-05-17 with no public team response and no confirmed patch PR. The most recent EVM audit was Trail of Bits 2023-11 (covering late-2023 code). Warp Route ERC4626 integration changes post-dating that audit appear unreviewed. No evidence of a re-audit. Textbook F139 post-audit-code-change-without-re-audit scenario.

Sources #

Audit
Trail of Bits Hyperlane V3 audit reportTrail of Bits V3 EVM audit: covers 2023-09-25 to 2023-09-29 period + fix review 2023-10-26; signed off 2023-11-06retrieved 2026-05-17
GitHub
GitHub issue #8589 — ERC4626 warp route insolvencyIssue #8589: critical vulnerability in warp route contracts — OPEN, no team response, reporter has 4 PoC Foundry tests, filed 2026-04-14retrieved 2026-05-17

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-139 score red collected_at 2026-05-16 23:03:56