★ Post-audit code changes without re-audit

Hyperliquid's assessment for RD-F-139 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

CRITICAL: L1 HyperCore binary is closed-source and has never been independently audited — every post-launch update is unaudited by construction. For Bridge2: last audit was Zellic November 2023. Proxy admin can replace implementation without triggering new audit; post-audit implementation changes confirmed in 2023. No audit since November 2023 (~29 months ago). Nov 2023 Zellic report explicitly excluded off-chain components, front-end, infrastructure, key custody.

Sources #

Docs
No audit since November 2023 listed on official audits pageHyperliquid audits pageretrieved 2026-04-28
URL
Hyper Foundation operates 5 validators holding >50% staked HYPEmefai Feb 2026retrieved 2026-04-28
Audit
Zellic November 2023 — last known audit of Bridge2Zellic November 2023 patch reviewretrieved 2026-04-28

Methodology #

Count deployed changes to audited bytecode where no subsequent audit or spot-review covers the changed code.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperliquid factor RD-F-139 score red collected_at 2026-04-28 13:58:49