Breakage analysis per dependency

Hyperlane's assessment for RD-F-052 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Breakage analysis: (1) Validator set compromise at threshold: all Warp Route collateral drained in one forged-message transaction — Mailbox has no rate-limiter. (2) StorageGasOracle stale rates: users overpay/underpay gas; message validity unaffected; team must correct manually. (3) ERC4626 vault insolvency (GitHub #8589, April 2026): HypERC4626Collateral locked collateral cannot be fully redeemed; economic loss to bridge users; no automated recovery. (4) OZ ECDSA library bug: would allow forged signatures — OZ 4.9.3 has no known critical ecrecover bug. (5) Symbiotic vault bug: undermines slashing guarantees; no immediate fund-loss in messaging path.

Sources #

GitHub
ERC4626 vault insolvency disclosure — Hyperlane monorepoGitHub issue #8589 — ERC4626 insolvency bug in HypERC20Collateral / HypNative, responsible disclosure April 2026, 4 Foundry PoC tests, technical details withheldretrieved 2026-05-17
GitHub
Mailbox.sol — Hyperlane monorepoMailbox.sol process() — no rate-limit or max-value guard on message processingretrieved 2026-05-17

Methodology #

Produce a short per-dependency text describing which protocol functions halt or degrade and impact severity if each declared dependency fails.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-052 score yellow collected_at 2026-05-16 23:03:56