Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Hyperbeat Pay>Design>Component: ServiceRegistry
GeneralOverview
Findings
Critical (1)
Medium (3)
Low (7)
Informational (1)
Indeterminate (2)
DiscussionIncompatible with nonstandard ERC-20 tokensWithdrawal-fee bypass with dust amountsMissing token whitelist validation in ACTION_CUSTOM pathTest suite
DesignComponent: ManagementAccountComponent: ManagementAccountFactoryComponent: ServiceRegistryComponent: TokenWhitelistRegistryComponent: MorphoService
Audit ResultsAssessment Results

Component: ServiceRegistry

Description

The ServiceRegistry is a centralized access-control registry that maintains a curated list of DeFi protocol service adapters available for ManagementAccount interactions. It establishes the system's trust boundary by ensuring that only validated services can be used by ManagementAccounts to interact with external DeFi protocols. Each registered service contains metadata including its service type (LENDING, BORROWING, YIELD, or CUSTOM), protocol identifier, risk score, and active status.

Invariants

Access control

  • Only accounts with SERVICE_ADMIN_ROLE can register, update, or remove services.

  • The DEFAULT_ADMIN_ROLE can grant or revoke the SERVICE_ADMIN_ROLE.

Attack surface

  • Service deactivation risk. A SERVICE_ADMIN_ROLE can deactivate services by setting active to false or removing them entirely, which would prevent all ManagementAccounts from executing new actions with that service (see Finding ref).

  • Service management. Only SERVICE_ADMIN_ROLE can manage services, preventing malicious external parties from registering, upgrading, or removing services.

Zellic © 2025Back to top ↑