★ Oracle source = spot DEX pool (no TWAP)

Hyperlane's assessment for RD-F-053 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] No spot DEX pool oracle anywhere in the message-verification or Warp-Route value path. Core security is validator ECDSA signatures. StorageGasOracle uses manually-set values (not DEX pools). ERC4626 exchange rate from vault.convertToAssets() (not a DEX pool). 19 Chainlink feeds are push-based CLOG feeds (not DEX spot). F053 does not fire.

Sources #

GitHub
StorageGasOracle.sol — Hyperlane monorepoStorageGasOracle.sol — setRemoteGasData() owner-only manual setter, no DEX pool referenceretrieved 2026-05-17
GitHub
Mailbox.sol — Hyperlane monorepoMailbox.sol process() — no oracle call, ISM verification is pure ECDSA signature checkretrieved 2026-05-17
GitHub
HypERC4626Collateral.sol — Hyperlane monorepoHypERC4626Collateral.sol — vault.convertToAssets(PRECISION) for exchange rate, not DEX poolretrieved 2026-05-17

Methodology #

Determine whether the primary oracle for any asset/market reads spot price from a single DEX pool without a TWAP window or secondary source.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-053 score green collected_at 2026-05-16 23:03:56