Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperliquid>Threat Models>changeBlockDurationMillis
GeneralOverview
Findings
High (2)
Informational (4)
DiscussionSignature checks do not require arrays of signersPossible improvements for contract transparency
Threat ModelsWhat are threat models?
Bridge2.solbatchedFinalizeWithdrawalschangeBlockDurationMillischangeDisputePeriodSecondsdepositemergencyLockemergencyUnlockfinalizeValidatorSetUpdatemodifyLockerrequestWithdrawalupdateValidatorSet
Audit ResultsSummary

Function: changeBlockDurationMillis(uint64 newBlockDurationMillis, uint64 nonce, ValidatorSet activeColdValidatorSet, address[] signers, Signature[] signatures)

This function can be used to change the block duration.

Inputs

  • newBlockDurationMillis

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: New block duration.

  • nonce

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Nonce used as part of the signed hash.

  • activeColdValidatorSet

    • Control: Arbitrary.

    • Constraints: Hash must match the stored validator set hash.

    • Impact: Active set of validators --- used to validate signatures.

  • signers

    • Control: Arbitrary.

    • Constraints: Length must match signatures.

    • Impact: Addresses of the signers of the action.

  • signatures

    • Control: Arbitrary.

    • Constraints: Each element must be a valid signature for the corresponding address in signers.

    • Impact: Signatures authorizing the action.

Branches and code coverage (including function calls)

Intended branches

  • Checks that the same message has not been used, checks the validity of the validator signatures, and updates the block duration.

Negative behavior

  • Reverts if the same message has already been used.

  • Reverts if the hash of the provided validator set does not match the stored one.

  • Reverts if a signature does not correspond with the signer.

  • Reverts if the signers' cumulative voting power is insufficient.

  • Reverts if the length of the signers and signatures do not match.

Function call analysis

  • rootFunction -> hash(agent)

    • What is controllable? agent, indirectly (some parts of the hash).

    • If return value controllable, how is it used and how can it go wrong? Not controllable, used to identify the transfer.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts and reentrancy cannot happen.

  • rootFunction -> checkMessageNotUsed(message)

    • What is controllable? message, indirectly (some parts of the hash).

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).

  • rootFunction -> checkValidatorSignatures(...)

    • What is controllable? message (some parts of the hash), activeColdValidatorSet, signers, and signatures.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).

Zellic © 2025Back to top ↑