Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Hyperliquid>Threat Models>requestWithdrawal
GeneralOverview
Findings
High (2)
Informational (4)
DiscussionSignature checks do not require arrays of signersPossible improvements for contract transparency
Threat ModelsWhat are threat models?
Bridge2.solbatchedFinalizeWithdrawalschangeBlockDurationMillischangeDisputePeriodSecondsdepositemergencyLockemergencyUnlockfinalizeValidatorSetUpdatemodifyLockerrequestWithdrawalupdateValidatorSet
Audit ResultsSummary

Function: requestWithdrawal(uint64 usdc, uint64 nonce, ValidatorSet hotValidatorSet, address[] signers, Signature[] signatures)

This function can be used to request a withdrawal from the bridge.

Inputs

  • usdc

    • Control: Arbitrary.

    • Constraints: None directly (must match the signature).

    • Impact: Amount to be withdrawn.

  • nonce

    • Control: Arbitrary.

    • Constraints: None directly (must match the signature).

    • Impact: Nonce used to deduplicate signatures.

  • hotValidatorSet

    • Control: Arbitrary.

    • Constraints: The hash must match the current hot validator set hash.

    • Impact: Validator set.

  • signers

    • Control: Arbitrary.

    • Constraints: Elements must match the corresponding element in signatures.

    • Impact: Array of addresses that signed the request.

  • signatures

    • Control: Array.

    • Constraints: Must be valid signatures for the hash of the withdrawal request determined by the other parameters.

    • Impact: Signatures authorizing the transfer.

Branches and code coverage (including function calls)

Intended branches

  • Validates the validator set and the provided signature, and it records the pending withdrawal.

Negative behavior

  • Reverts if the provided validator set does not match the recorded validator set hash.

  • Reverts if a signature does not match the corresponding signer.

  • Reverts if the cumulative signing power is insufficient.

  • Reverts if the same withdrawal was already requested.

Function call analysis

  • rootFunction -> hash(agent)

    • What is controllable? agent, indirectly (some parts of the hash)

    • If return value controllable, how is it used and how can it go wrong? Not controllable, used to identify the transfer

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts and reentrancy can't happen

  • rootFunction -> checkValidatorSignatures(message, hotValidatorSet, signers, signatures, hotValidatorSetHash)

    • What is controllable? message, hotValidatorSet, signers, and signatures.

    • If return value controllable, how is it used and how can it go wrong? N/A.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).

  • checkValidatorSignatures -> makeValidatorSetHash(activeValidatorSet)

    • What is controllable? activeValidatorSet.

    • If return value controllable, how is it used and how can it go wrong? Not meaningfully controllable, compared against the expected validator set hash.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).

  • checkValidatorSignatures -> recoverSigner(message, signatures[signerIdx], domainSeparator)

    • What is controllable? message and signatures[signerIdx].

    • If return value controllable, how is it used and how can it go wrong? Not meaningfully controllable, compared against the expected signer; it is not possible to forge a signer's address.

    • What happens if it reverts, reenters, or does other unusual control flow? Reverts bubble up; reentrancy cannot happen (no external calls).

Zellic © 2025Back to top ↑