Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperliquid>Discussion>Changes since previous assessment
GeneralOverview
DiscussionChanges since previous assessmentError handling in `depositWithPermit`
Audit ResultsSummary

Changes since previous assessment

The following changes were observed in the in-scope commits:

Withdrawals support specifying destination

Withdrawals now support specifying a destination, instead of assuming the destination is msg.sender. All the information regarding the withdrawal, including user, destination, and amount, still require a valid signature from a supermajority of the validators to take effect.

Batch functions

A batch variant of requestWithdrawal was introduced. This change required to move the nonReentrant modifier to the public batch versions. This does not introduce a security issue because the nonbatch variant has been restricted to internal visibility. We note that the whenNotPaused modifier could be removed in the internal function for a minor gas-efficiency gain.

All nonbatch variants are now not directly externally reachable; the batch variants call the nonbatch variants to process each operation. Because of this, the nonbatch variants were modified to log an event and return early instead of reverting if an error occurs. This is required to prevent a single error from reverting an entire batch of operations. We note that this is only partially effective, as reverts originating from external calls are not caught and will therefore revert the entire batch.

Support deposits using ERC20Permit

Two new functions, batchedDepositWithPermit and depositWithPermit, were introduced to support depositing on behalf of a third party using a signature via the ERC20Permit interface.

Configurable locker threshold required to lock the bridge

Locking (pausing) the bridge now requires votes from a configurable number of lockers.

Changing the threshold requires signatures from a two-thirds supermajority of the cold validator set.

Lockers can vote to pause and can also revoke their vote, but they cannot unpause the contract, which requires a two-thirds supermajority of the cold validators.

Adding and removing lockers still require a supermajority of the hot validators.

Minor change to the required validator power

The checkValidatorSignatures function was changed to require the cumulative power of the signatures being processed to be greater than two thirds of the total voting power of all the validators.

Previously, the function required the cumulative power to be greater than or equal to the two-thirds threshold.

Other minor changes

This includes the following:

  • The changeDisputePeriodSeconds does not require the contract to not be paused.

  • The invalidateWithdrawals does not require the contract to not be paused, and it emits one event per invalidated withdrawal instead of a single event with all invalidated withdrawals.

  • The changeBlockDurationMillis does not require the contract to be paused.

Usage of correct source for block number

Arbitrum block.number lags behind the actual block.number on mainnet Ethereum. The equivalent of the Ethereum Mainnet block number is obtained using facilities specifically provided by Arbitrum.

Zellic © 2025Back to top ↑