Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperliquid>Threat Models>modifyLocker
GeneralOverview
Findings
High (2)
Informational (4)
DiscussionSignature checks do not require arrays of signersPossible improvements for contract transparency
Threat ModelsWhat are threat models?
Bridge2.solbatchedFinalizeWithdrawalschangeBlockDurationMillischangeDisputePeriodSecondsdepositemergencyLockemergencyUnlockfinalizeValidatorSetUpdatemodifyLockerrequestWithdrawalupdateValidatorSet
Audit ResultsSummary

Function: modifyLocker(address locker, bool isLocker, uint64 nonce, ValidatorSet activeColdValidatorSet, address[] signers, Signature[] signatures)

This function can be used to grant or revoke authorization for the locker role, which grants the ability to pause the contract.

Inputs

  • locker

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Address of the locker.

  • isLocker

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: If true, the permission will be granted; otherwise, it will be revoked.

  • nonce

    • Control: Arbitrary.

    • Constraints: None.

    • Impact: Nonce used as part of the signed action.

  • activeColdValidatorSet

    • Control: Arbitrary.

    • Constraints: The hash must match the stored cold validator set hash.

    • Impact: The currently active set of cold validators.

  • signers

    • Control: Arbitrary.

    • Constraints: Length must match signatures.

    • Impact: Addresses of the signers for the request.

  • signatures

    • Control: Arbitrary.

    • Constraints: Each element must be a valid signature for the corresponding signers entry.

    • Impact: Signatures authorizing the action.

Branches and code coverage (including function calls)

Intended branches

  • Checks for signature reuse, checks the signatures' validity, and grants/revokes permissions.

Negative behavior

  • Reverts if the same signature was already used.

  • Reverts if the validator set does not match the expected one.

  • Reverts if the sum of the signers' voting power is insufficient.

  • Reverts if the length of the signers and signatures do not match.

Function call analysis

  • rootFunction -> hash(agent)

    • What is controllable? agent, indirectly (some parts of the hash).

    • If return value controllable, how is it used and how can it go wrong? Not controllable --- used to identify the transfer.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts and reentrancy cannot happen.

  • rootFunction -> checkMessageNotUsed(message)

    • What is controllable? message, indirectly (some parts of the hash).

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).

  • rootFunction -> checkValidatorSignatures(...)

    • What is controllable? message (some parts of the hash), activeColdValidatorSet, signers, and signatures.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).

Zellic © 2025Back to top ↑