Upgrade multisig signer configuration (M/N)

Hyperliquid's assessment for RD-F-026 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Bridge2 hot-validator quorum: effectively 3-of-4 for withdrawals (2/3 stake-weighted). Lockers: 2-of-5 to pause. Cold validator set: 4 nodes, 2/3 required for emergency ops. Proxy admin upgrade multisig: threshold NOT publicly disclosed (safe_api_gap: true). L1 validator governance: top-24 by stake, 2/3 BFT quorum.

Sources #

URL
Bridge in Arbitrum is still a 3/4 multisigSantisa X postretrieved 2026-04-28
URL
Hyperliquid Security: Beyond Orderbooks & Into ArchitectureQuillaudits security analysisretrieved 2026-04-28

Methodology #

Read `threshold` and `getOwners()` on the multisig controlling upgrade / sensitive ops. Store as `required` (M) and `total` (N); render as "M/N". For EOA admins record `required=1, total=1` (display "1/1"). Null when admin is immutable or full DAO with no fixed signer set.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperliquid factor RD-F-026 score yellow collected_at 2026-04-28 13:58:49