Disputed actions are not blocked by validator rotation
Description
The bridge implements a two-step mechanism for performing withdrawals and validator set changes. First, a request authorizing the action has to be submitted. The request has to be signed by a two thirds majority of validators. If the request is valid, it is recorded in the contract storage.
The second step, finalization, actually performs the requested action and can only occur after a dispute period has elapsed. The dispute period gives the opportunity to pause the contract in the event of one or more validators being compromised. Unpausing the contract also requires to rotate the validator set, allowing replacement of the compromised validators.
However, the current implementation does not allow to remove pending operations. For example, if a malicious withdrawal was detected and the contract was paused, the operation would stay pending and could be processed when the contract is unpaused.
Impact
If a sufficiently large subset of hot wallets is compromised, the dispute period does not effectively allow malicious withdrawals or validator set updates to be blocked. Even if validators are rotated, pending actions would still be able to be finalized when the contract is unpaused.
Recommendations
We recommend adding a mechanism for invalidating pending messages. For example, this could be implemented in the emergencyUnlock
function.
Remediation
This issue has been acknowledged by Hyperliquid, and a fix was implemented in commit 8c4a182a↗.