Zellic - Audit Reports

Assessment reports Public findings

Back to Zellic site

Assessment reports>Hyperliquid>Threat Models>deposit

GeneralOverview

Findings

Informational (4)

DiscussionSignature checks do not require arrays of signers Possible improvements for contract transparency

Threat ModelsWhat are threat models?

Bridge2.sol batchedFinalizeWithdrawals changeBlockDurationMillis changeDisputePeriodSeconds deposit emergencyLock emergencyUnlock finalizeValidatorSetUpdate modifyLocker requestWithdrawal updateValidatorSet

Audit ResultsSummary

Function: `deposit(uint64 usdc)`

This function can be used to deposit USDC into the bridge.

Inputs

usdc
- Control: Arbitrary.
- Constraints: None (apart from the caller having sufficient balance).
- Impact: Amount to be deposited.

Branches and code coverage (including function calls)

Intended branches

Deposits USDC into the contract and emits a corresponding event.
Test coverage

Negative behavior

Reverts if user balance is insufficient or USDC transfer fails.
Negative test

Function call analysis

rootFunction -> usdcToken.transferFrom(user, address(this), usdc)
- What is controllable? usdc.
- If return value controllable, how is it used and how can it go wrong? Not controlled nor used.
- What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy is not possible (USDC makes no external calls).

Zellic © 2025Back to top ↑