★ Audit scope mismatch
Hyperlane's assessment for RD-F-001 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Trail of Bits (Nov 2023) audited EVM V3 Mailbox + ISM at a commit circa Sep 2023; deployed Mailbox impl (0x7b4D..., solc 0.8.19, source-verified) is likely close to audited scope. However, Warp Route ERC4626 extensions (HypERC4626Collateral, HypERC4626OwnerCollateral, WHypERC4626) evolved materially post-audit and the April 2026 ERC4626 insolvency disclosure (issue #8589, open as of 2026-05-17) is unpatched and unaudited. ChainLight Q2 2025 audit listed on docs page but specific commit SHA not independently verified. audit-q2-2026 branch active but no external firm publication found. Yellow: Mailbox core likely in scope; Warp Route extension layer with live TVL has material scope gap.
Sources #
- URLHyperlane V3 Security Assessment (Summary Report) — Trail of Bits, November 6, 2023Trail of Bits V3 summary report (PDF binary — not parseable; engagement date 2023-11-06 confirmed via search)retrieved 2026-05-17
- Hyperlane Audits — Official DocumentationOfficial audit history listing Trail of Bits (v3 2023-09), ChainLight (Q2 2025), Sherlock (Sealevel 2025-03-27)retrieved 2026-05-17
- Ethereum Mailbox v3 Implementation — Etherscan Verified SourceMailbox impl 0x7b4D881c122a5e61adCFfb56A2e3CE9927D53455 — verified source, compiler v0.8.19+commit.7dd6d404retrieved 2026-05-17
- Security: Critical vulnerability in warp route contracts — requesting secure disclosure channelIssue #8589 — open critical vulnerability in Warp Route ERC4626 layer, filed 2026-04-14, no team response visibleretrieved 2026-05-17
Methodology #
Check whether the commit SHA cited in the audit report matches the bytecode deployed at the production proxy/implementation address.
See the full factor methodology and distribution across all protocols →