Description

The vault only updates KYC status through _setKycStatusWithAccounting in the KYC phase, which rejects accounts that hold no shares:

// src/HourglassStableVaultKYC.sol:883-885
uint256 userShares = balanceOf(user);
if (userShares == 0) revert NoSharesFound();

The LayerZero bridge contract is deployed with a zero share balance. During the KYC phase, batchSetKycStatus([bridge], true) therefore reverts, so the bridge cannot be whitelisted unless operators mint a share to it while the Deposit phase is still open. Later, when Withdraw mode starts, the bridge redemption flow (HourglassStableVaultBridge._redeemSharesAndBridgeToStable) pulls user shares and calls redeemBridge, which delegates to redeemKyc:

// src/HourglassStableVaultKYC.sol:660-670
function redeemKyc(...) public ... onlyCallerIsBridge onlyMode(OperationalMode.Withdraw) onlyKycApproved(owner) {
    (uint256 usdtOut,,) = previewRedeem(owner, shares);
    ...
}

Because the bridge was never KYC-approved, onlyKycApproved(owner) always fails and every Withdraw-phase redemption reverts.

Impact

Withdraw-mode bridge withdrawals are blocked — user funds stay locked until Recovery mode is available.

The requirement to premint a bridge share is not documented, and the development team was not aware of it at the time this issue was noted, so missing this step is very likely in practice.

Recommendations

Allow trusted infrastructure (e.g., the bridge) to be KYC-approved even with a zero share balance, or seed the bridge with a share during deployment so _setKycStatusWithAccounting can succeed while in the KYC phase.

Nevertheless, we recommend simplifying this workflow as much as possible to reduce the chance of human error.

Remediation

This issue has been acknowledged by HourGlass, and a fix was implemented in commit 614981fb↗.