Prior known-ignored disclosure

Hyperlane's assessment for RD-F-177 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

April 2026 critical disclosure (issue #8589, opened 2026-04-14): ERC4626 insolvency bug in HypERC20Collateral / HypNative Warp Routes; 4 passing Foundry PoC tests; full root-cause analysis prepared. As of 2026-05-17 (33 days later): no Hyperlane team response visible on public GitHub issue; no GHSA/CVE filed; no merged PR addressing ERC4626 insolvency found in monorepo PR list (138 open, 1,427 closed). This is a live critical vulnerability with no publicly confirmed team response or patch on a $132M bridge. Caveat: private engagement may have occurred but is not visible. Score red pending curator verification of private engagement status.

Sources #

GitHub
GitHub Issue #8589 — Critical Warp Route VulnerabilityIssue #8589 opened 2026-04-14 by bilinmeyenkarakter — critical ERC4626 insolvency bug in Warp Routes; no team response visible; issue status: openretrieved 2026-05-17
GitHub
hyperlane-monorepo Pull Requestshyperlane-monorepo PR list — no ERC4626/insolvency security patch PR found in 138 open or recent closed PRsretrieved 2026-05-17

Methodology #

Determine whether evidence exists in prior-incident post-mortems that a disclosed vulnerability was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-177 score red collected_at 2026-05-16 23:03:56