Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperlane Starknet>Medium findings>Owner address is not initialized
GeneralOverview
Findings
Critical (5)
High (4)
Medium (5)Modules cannot be removed from routing ISMRouting ISM with the fallback configuration does not show fallback behaviorOwner address is not initializedIncorrect size for fetching branches of the Merkle treeMessage can be sent multiple times to an untrusted recipient
Low (5)
Informational (2)
DiscussionSame message can be inserted into the Merkle tree hook multiple timesNonce may overflow
Threat ModelMessage
Audit ResultsAssessment Results
Category: Coding Mistakes

Owner address is not initialized

Medium Severity
Medium Impact
Medium Likelihood

Description

The contracts merkle_tree_hook.cairo and validator_announce.cairo embed the Ownable component. However, the Ownable component is not initialized in the constructor and so the owner address would not be configured.

We have found that the owner address is only checked for the features that do not affect the behavior of the contract (i.e., unused) in merkle_tree_hook.cairo. However, validator_announce.cairo only allows the owner to upgrade the contract; therefore this contract would not be updatable.

Impact

The contracts validator_announce.cairo and merkle_tree_hook.cairo cannot be upgraded.

Recommendations

Consider initializing the owner address in the constructor for both contracts.

Remediation

This issue has been acknowledged by Pragma, and a fix was implemented in commit b3b2c967.

Zellic © 2025Back to top ↑