★ Immutable oracle address

Hyperlane's assessment for RD-F-180 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL CANDIDATE — PD-017 held; compose counts it] Core Mailbox ISM path has no oracle and is unaffected. For yield-bearing Warp Routes using HypERC4626Collateral: vault address is set at construction with no admin-replaceable wrapper observable in source — immutable at the Warp Route level. If underlying ERC4626 vault becomes insolvent, the Warp Route cannot redirect to a new vault without redeployment. April 2026 ERC4626 insolvency disclosure (GitHub #8589) makes this directly material as a dependency-breakage vector. Scored yellow (not red) because: (a) it is a collateral-vault, not a Chainlink aggregator in the message-security critical path; (b) Warp Routes can be redeployed (unlike immutable lending oracle adapters); (c) failure mode is vault insolvency, distinct from the USR/USDX/xUSD spot-price manipulation class. FLAG FOR PD-017 POST-LAUNCH PROMOTION REVIEW.

Sources #

GitHub
ERC4626 insolvency disclosure — Hyperlane monorepo issue #8589GitHub issue #8589 — ERC4626 vault insolvency responsible disclosure, April 2026, HypERC20Collateral and HypNative, 4 Foundry PoC tests; technical details withheldretrieved 2026-05-17
GitHub
HypERC4626Collateral.sol — vault immutability confirmedHypERC4626Collateral.sol — vault address as constructor param, no admin setter for vault replacementretrieved 2026-05-17

Methodology #

Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-180 score yellow collected_at 2026-05-16 23:03:56