{"id":1053,"date":"2025-06-16T23:57:17","date_gmt":"2025-06-16T21:57:17","guid":{"rendered":"https:\/\/ackee.xyz\/blog\/?p=1053"},"modified":"2025-07-01T11:11:10","modified_gmt":"2025-07-01T09:11:10","slug":"hyperlend-protocol-audit-summary","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/hyperlend-protocol-audit-summary\/","title":{"rendered":"Hyperlend Protocol Audit Summary"},"content":{"rendered":"<p class=\"p1\">Hyperlend is a lending protocol deployed on the Hyperliquid chain. The protocol implements risk-segmented lending pools designed for different use cases. The protocol\u2019s infrastructure includes cross-chain deposit endpoints for protocol pools, looping contracts that enable position management through flash loans, and helper contracts for asset listing functionality.<\/p>\n<p class=\"p1\">Hyperlend engaged Ackee Blockchain Security to perform a security review of the Hyperlend protocol with a total time donation of 46 engineering days in a period between January 10 and February 7, 2025.<\/p>\n<p>A second, fix review was then performed between February 17 and February 24, 2025.<\/p>\n<p>A third review was then performed between March 12 and March 18.<\/p>\n<h2><span style=\"font-weight: 400;\">METHODOLOGY<\/span><\/h2>\n<p>We began our review with a deep dive into the logic of the contracts. We supported our review with static analysis tools, including <a href=\"https:\/\/getwake.io\">Wake<\/a>, and manually guided fuzzing checking basic functionality of the code in-scope.<\/p>\n<p>During the review, we paid special attention to:<\/p>\n<ul>\n<li>ensuring tokens cannot be stolen or unintentionally locked in the contracts;<\/li>\n<li>detecting possible reentrancies in the code;<\/li>\n<li>checking integration with third-party contracts is correct and secure;<\/li>\n<li>common issues such as data validation.<\/li>\n<\/ul>\n<h2><span style=\"font-weight: 400;\">SCOPE<\/span><\/h2>\n<p>The audit was performed on the following repositories and commits:<\/p>\n<ul>\n<li>hyperlend-core commit <code class=\"codehl\">425624<\/code>;<\/li>\n<li>hyperlend-isolated commit <code class=\"codehl\">37c678<\/code>;<\/li>\n<li>looping-contracts (private repository) commit <code class=\"codehl\">0fdde7<\/code>;<\/li>\n<li>core-config-engine commit <code class=\"codehl\">0339f1<\/code>;<\/li>\n<li>cross-chain-lending-deposits (private repository) commit <code class=\"codehl\">43b101<\/code>.<\/li>\n<\/ul>\n<p>The fix review was performed on the following repositories and commits:<\/p>\n<ul>\n<li>hyperlend-core commit <code class=\"codehl\">625161<\/code>;<\/li>\n<li>hyperlend-isolated commit <code class=\"codehl\">0b90ce<\/code>;<\/li>\n<li>looping-contracts (private repository) commit <code class=\"codehl\">cb6fac<\/code>;<\/li>\n<li>core-config-engine commit <code class=\"codehl\">4ff785<\/code>;<\/li>\n<li>cross-chain-lending-deposits (private repository) commit <code class=\"codehl\">38dc8a<\/code>.<\/li>\n<\/ul>\n<p>The third audit was performed on the hyperlend-core-new repository, commit <code class=\"codehl\">0c2b14<\/code>. The scope included all changes made in the <code class=\"codehl\">src<\/code> directory compared to the original Aave v3.2 codebase.<\/p>\n<h2><span style=\"font-weight: 400;\">FINDINGS<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The classification of a security finding is determined by two ratings: <\/span><b>impact<\/b><span style=\"font-weight: 400;\"> and <\/span><b>likelihood<\/b><span style=\"font-weight: 400;\">. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as <\/span><i><span style=\"font-weight: 400;\">medium<\/span><\/i><span style=\"font-weight: 400;\"> severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the <em>W<\/em><\/span><i><span style=\"font-weight: 400;\">arning<\/span><\/i><span style=\"font-weight: 400;\"> or <em>I<\/em><\/span><i><span style=\"font-weight: 400;\">nformational<\/span><\/i><span style=\"font-weight: 400;\"> severity ratings.<\/span><\/p>\n<p class=\"p1\">Our review resulted in 44 findings, ranging from Info to Critical severity. The most severe finding C1 posed a critical risk of all collateral tokens being stolen from the isolated pools of the protocol. The finding was reported despite being out-of-scope for the review, as the core issue was in incorrect usage of a new Chainlink-like price provider in the context of the original Fraxlend V3 codebase. The issue was undetectable by performing only differential review without the context of the original codebase.<\/p>\n<p class=\"p1\">Findings C1, M1, M2, M7, M10, L2 were discovered through manually-guided fuzzing using the <a href=\"https:\/\/getwake.io\">Wake<\/a> testing framework. Findings M5, M10, M11, M13, and I10 were discovered through <a href=\"https:\/\/getwake.io\">Wake<\/a> static analysis.<\/p>\n<h3><span style=\"font-weight: 400;\">Critical severity<\/span><\/h3>\n<p>C1: No revert on stale Chainlink price<\/p>\n<h3><span style=\"font-weight: 400;\">High severity<\/span><\/h3>\n<p>H1: Possible locked tokens<\/p>\n<h3><span style=\"font-weight: 400;\">Medium severity<\/span><\/h3>\n<p>M1: Incorrect proposal ID emitted<\/p>\n<p>M2: Missing support for bridging native tokens<\/p>\n<p>M3: Arbitrary token transfer through unrestricted refund function<\/p>\n<p>M4: Incorrect token balance check leading to failed position closures<\/p>\n<p>M5: Divide before multiply in <code class=\"codehl\">openPosition<\/code> function<\/p>\n<p>M6: Missing <code class=\"codehl\">payable<\/code> modifier<\/p>\n<p>M7: <code class=\"codehl\">minAmountOut<\/code> calculation too restrictive<\/p>\n<p>M8: Inconsistent token symbol formatting<\/p>\n<p>M9: Missing token validation on bridge initiation<\/p>\n<p>M10: <code class=\"codehl\">SafeERC20<\/code> not used<\/p>\n<p>M11: Native <code class=\"codehl\">transfer<\/code> revert out-of-gas<\/p>\n<p>M12: <code class=\"codehl\">WalletBalanceProvider<\/code> native tokens lockup<\/p>\n<p>M13: Missing Chainlink price feed validation<\/p>\n<h3><span style=\"font-weight: 400;\">Low severity<\/span><\/h3>\n<p>L1: Missing swap deadline protection<\/p>\n<p>L2: Try\/catch may still revert<\/p>\n<p>L3: Unsatisfiable condition on closing position with flashloans<\/p>\n<p>L4: Incorrect error messages<\/p>\n<p>L5: Missing receive function for native token handling<\/p>\n<p>L6: Missing queued transaction verification in <code class=\"codehl\">cancelTransaction<\/code><\/p>\n<p>L7: Same transaction can be queued multiple times<\/p>\n<p>L8: Native token recovery can be bypassed<\/p>\n<h3><span style=\"font-weight: 400;\">Warning severity<\/span><\/h3>\n<p>W1: Missing check to catch underflow error<\/p>\n<p>W2: Double listing proposal ID<\/p>\n<p>W3: Case insensitive import<\/p>\n<p>W4: Hardhat console imports<\/p>\n<p>W5: Unused state variables in <code class=\"codehl\">StrategyManager<\/code><\/p>\n<p>W6: Missing zero address validation<\/p>\n<p>W7: Lack of events<\/p>\n<p>W8: Missing proposal existence validation<\/p>\n<p>W9: Potential negative exponent in <code class=\"codehl\">CHAINLINK_NORMALIZATION<\/code> calculation<\/p>\n<p>W10: Incorrect token balance used for debt value calculation<\/p>\n<h3><span style=\"font-weight: 400;\">Informational severity<\/span><\/h3>\n<p class=\"p1\">I1: Missing underscore in internal function name<\/p>\n<p class=\"p1\">I2: Incorrect variable naming due to typo<\/p>\n<p class=\"p1\">I3: Unused <code class=\"codehl\">Ownable<\/code> inheritance<\/p>\n<p>I4: Inconsistent visibility for <code class=\"codehl\">_reversePath<\/code> function<\/p>\n<p>I5: <code class=\"codehl\">getUserAccountData<\/code> function reverts when token price is zero<\/p>\n<p>I6: <code class=\"codehl\">getUserPairs<\/code> returns an array with empty positions<\/p>\n<p>I7: Unused <code class=\"codehl\">swapPath<\/code> parameter in <code class=\"codehl\">SwapParams<\/code> struct<\/p>\n<p>I8: Unused function with potential data truncation risk<\/p>\n<p>I9: Incorrect documentation<\/p>\n<p>I10: Variables can be immutable<\/p>\n<h2><span style=\"font-weight: 400;\">TRUST MODEL<\/span><\/h2>\n<p>Users must trust Hyperlend not to lock funds in the protocol or manipulate token prices. Stargate gateways must be trusted to correctly relay messages between chains during cross-chain deposits.<\/p>\n<h2><span style=\"font-weight: 400;\">CONCLUSION<\/span><\/h2>\n<p class=\"p1\">Ackee Blockchain Security recommends Hyperlend to:<\/p>\n<ul>\n<li class=\"p1\">keep informed about the latest fixes made to the Aave and Fraxlend codebases; and<\/li>\n<li class=\"p1\">maintain best security practices when listing new tokens, ensuring quality of price oracles, and monitoring health of the protocol pools.<\/li>\n<\/ul>\n<p><b><a href=\"https:\/\/ackee.xyz\">Ackee Blockchain Security<\/a>\u2019s full Hyperlend audit report can be found <a href=\"https:\/\/github.com\/hyperlendx\/audits\/blob\/master\/hyperlend\/2025-03-24-ackee-audit-hyperlend.pdf\">here<\/a><\/b><b>.<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hyperlend is a lending protocol deployed on the Hyperliquid chain. The protocol implements risk-segmented lending pools designed for different use cases. The protocol\u2019s infrastructure includes cross-chain deposit endpoints for protocol pools, looping contracts that enable position management through flash loans, and helper contracts for asset listing functionality. Hyperlend engaged Ackee Blockchain Security to perform a security review of the Hyperlend protocol with&hellip;<\/p>\n","protected":false},"author":30,"featured_media":1064,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,10,103],"tags":[89,24,153],"class_list":["post-1053","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-audits","category-ethereum","category-wake","tag-audit-summary","tag-ethereum","tag-hyperlend"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/hyperlend-cover-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2025\/06\/hyperlend-cover-600x600.png","author_info":{"display_name":"Tom\u00e1\u0161 Kova\u0159\u00edk","author_link":"https:\/\/ackee.xyz\/blog\/author\/tomas-kovarik\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=1053"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/1053\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/1064"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=1053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=1053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=1053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}