★ Admin has mint() with unlimited max

Kinetiq's assessment for RD-F-042 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

mint() on kHYPE requires MINTER_ROLE, currently assigned to StakingManager contract (not a bare EOA). No supply cap exists on kHYPE. DEFAULT_ADMIN_ROLE (Safe) can reassign MINTER_ROLE to any address without timelock. If 4-of-7 Safe is compromised, MINTER_ROLE could be granted to an EOA enabling unlimited kHYPE minting. Not red because current mint path requires contract-based intermediary, not direct admin call.

Sources #

GitHub
KHYPE.sol source (Code4rena audit repo)KHYPE.sol: mint() requires MINTER_ROLE; no maxSupply; minter parameter set during initialize() — currently StakingManagerretrieved 2026-05-17
Etherscan
kHYPE Token implementation on HyperEVMScankHYPE Token implementation ABI: mint(address to, uint256 amount) — MINTER_ROLE guard, no supply capretrieved 2026-05-17

Methodology #

Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol kinetiq factor RD-F-042 score yellow collected_at 2026-05-17 15:29:57