Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Hyperlane - Radix>Discussion>Compromised owner account could maliciously update resource metadata
GeneralOverview
Findings
High (1)
Medium (1)
Low (1)
Informational (1)
Discussionrequired hook may potentially be executed twiceTypos in the codebaseTest suiteCompromised owner account could maliciously update resource metadata
DesignComponent: Mailbox
Audit ResultsAssessment Results

Compromised owner account could maliciously update resource metadata

After our review period ended, Hyperlane requested a review of PR #28, an additional update to the Token Metadata.

In PR #28, a change was made to allow the owner of the hyp_token to update the resource metadata. This metadata includes the resource's name, symbol, and description.

In our opinion, having the description be updatable makes sense, as the description can contain information about the resource, including official links. There are real scenarios where this information may need to be updated.

However, allowing the name and symbol to be updatable opens a potential attack vector where a bad actor could, after compromising the owner's private key, modify the name and symbol to impersonate another token.

Although resources in general should be identified by their unique resource address, layman users are in danger of falling for scams using the modified token name and symbol, especially since this token would be a real token with real market value.

We've determined that the severity of such an attack would be medium, since it does require users to fall for a scam. We've also determined that the likelihood is low, since it requires a private key compromise.

Our recommendation is to prevent the name and symbol from being updatable. The description can stay updatable.

Zellic © 2025Back to top ↑