Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperlane Starknet>Medium findings>Modules cannot be removed from routing ISM
GeneralOverview
Findings
Critical (5)
High (4)
Medium (5)Modules cannot be removed from routing ISMRouting ISM with the fallback configuration does not show fallback behaviorOwner address is not initializedIncorrect size for fetching branches of the Merkle treeMessage can be sent multiple times to an untrusted recipient
Low (5)
Informational (2)
DiscussionSame message can be inserted into the Merkle tree hook multiple timesNonce may overflow
Threat ModelMessage
Audit ResultsAssessment Results
Category: Coding Mistakes

Modules cannot be removed from routing ISM

Medium Severity
Medium Impact
High Likelihood

Description

Routing ISM in the Hyperlane protocol is an ISM that redirects the result from the ISM designated for the origin chain:

fn remove(ref self: ContractState, _domain: u32) {
    self.ownable.assert_only_owner();
    self._remove(_domain);
}

// ...

fn _remove(ref self: ContractState, _domain: u32) {
    let domain_index = match self.find_domain_index(_domain) {
        Option::Some(index) => index,
        Option::None => {
            panic_with_felt252(Errors::DOMAIN_NOT_FOUND);
            0
        }
    };
    let next_domain = self.domains.read(_domain);
    self.domains.write(domain_index, next_domain);
}

// ...

fn route(self: @ContractState, _message: Message) -> ContractAddress {
    self.modules.read(_message.origin)
}

// ...

fn verify(self: @ContractState, _metadata: Bytes, _message: Message) -> bool {
    let ism_address = self.route(_message.clone());
    let ism_dispatcher = IInterchainSecurityModuleDispatcher {
        contract_address: ism_address
    };
    ism_dispatcher.verify(_metadata, _message)
}

There is the remove function, which should remove the specified routing configuration from itself. However, it only removes the configuration from the list, and the storage variable modules, which defines the ISM that is used when a message is verified, is unchanged.

Impact

This inconsistency can lead to confusion and potential security risks if other parts of the system rely on the module function to accurately reflect the current state of domain-module mappings.

Recommendations

Consider removing the module from the storage variable modules as well as when the configuration is removed.

Remediation

This issue has been acknowledged by Pragma, and a fix was implemented in commit b3147211.

Zellic © 2025Back to top ↑