★ Rescue/emergencyWithdraw without timelock

stHYPE (Valantis Labs)'s assessment for RD-F-041 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

rescueTokens(address token, address to, uint256 amount) confirmed present on stHYPE implementation (0xe71cAF5c) and wstHYPE (0x104324863cfb) via hyperevmscan.io ABI. Callable by DEFAULT_ADMIN_ROLE = Safe. No timelock or delay (AccessControl delay=0, no TimelockController). 4-of-6 quorum can drain all tokens in one transaction. [CRITICAL]

Sources #

Docs
stHYPE Roles and Controls Registrydocs.valantis.xyz/stakedhype/roles-and-controls-registry — DEFAULT_ADMIN_ROLE = Safe; AccessControl delay = 0retrieved 2026-05-17
URL
HyperEVMScan — wstHYPE implementationhyperevmscan.io 0x104324863cfb — ABI shows rescueTokens functionretrieved 2026-05-17
URL
HyperEVMScan — stHYPE implementationhyperevmscan.io 0xe71cAF5c — ABI shows rescueTokens(address,address,uint256) as admin functionretrieved 2026-05-17

Methodology #

Determine whether a `rescue(…)` or `emergencyWithdraw(…)` function exists callable by admin without a timelock delay on execution.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol staked-hype factor RD-F-041 score red collected_at 2026-05-17 13:02:38