defirisk.co
rubric v1.7.0

Bridge rate-limiter / chain-pause as positive mitigant

Hyperlane's assessment for RD-F-185 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No per-window outflow rate-limiter found in Mailbox or Warp Route source. HypERC20Collateral.sol and HypNative have no rate-limit logic. The ISM architecture allows validators to cease attestation (liveness failure mode, not a rate limit). No chain-pause capability documented for Ethereum or BSC Mailbox. Absence of this mitigant is a negative finding for F185 — rated red given $132M TVS and the open ERC4626 vulnerability (GitHub issue #8589) providing a concrete attack path this mitigant would otherwise limit.

Sources #

  • GitHub
    Mailbox.solMailbox.sol source: no rate-limiter logicretrieved 2026-05-17
  • GitHub
    HypERC20Collateral.solHypERC20Collateral.sol source: no rate-limiter logicretrieved 2026-05-17

Methodology #

Determine whether the bridge implements a per-window outflow rate-limiter (and at what cap), and whether the protocol team can trigger a chain-level or validator-set emergency pause.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperlane factor RD-F-185 score red collected_at 2026-05-16 23:03:56