Assessment reports>Hyperlane Starknet>Medium findings>Modules cannot be removed from routing ISM
Category: Coding Mistakes

Modules cannot be removed from routing ISM

Medium Severity
Medium Impact
High Likelihood

Description

Routing ISM in the Hyperlane protocol is an ISM that redirects the result from the ISM designated for the origin chain:

fn remove(ref self: ContractState, _domain: u32) {
    self.ownable.assert_only_owner();
    self._remove(_domain);
}

// ...

fn _remove(ref self: ContractState, _domain: u32) {
    let domain_index = match self.find_domain_index(_domain) {
        Option::Some(index) => index,
        Option::None => {
            panic_with_felt252(Errors::DOMAIN_NOT_FOUND);
            0
        }
    };
    let next_domain = self.domains.read(_domain);
    self.domains.write(domain_index, next_domain);
}

// ...

fn route(self: @ContractState, _message: Message) -> ContractAddress {
    self.modules.read(_message.origin)
}

// ...

fn verify(self: @ContractState, _metadata: Bytes, _message: Message) -> bool {
    let ism_address = self.route(_message.clone());
    let ism_dispatcher = IInterchainSecurityModuleDispatcher {
        contract_address: ism_address
    };
    ism_dispatcher.verify(_metadata, _message)
}

There is the remove function, which should remove the specified routing configuration from itself. However, it only removes the configuration from the list, and the storage variable modules, which defines the ISM that is used when a message is verified, is unchanged.

Impact

This inconsistency can lead to confusion and potential security risks if other parts of the system rely on the module function to accurately reflect the current state of domain-module mappings.

Recommendations

Consider removing the module from the storage variable modules as well as when the configuration is removed.

Remediation

This issue has been acknowledged by Pragma, and a fix was implemented in commit b3147211.

Zellic © 2025Back to top ↑