Hyperlend is a loan protocol placed on the hyper liquid chain. This protocol implements a risk classification loan pool designed for various use cases. The protocol infrastructure includes a crosschain deposit termination point for the protocol pool, a roofing contract that enables location management through flash clones, and a helper contract for asset listing.
Hyperlend worked with Ackee Blockchain Security to review the HyperLend protocol as a total time donation of the 46th engineering day between January 10 and February 725.
Second, FIX Review was carried out between February 17 and February 24, 2025.
Then the third review was conducted between March 12 and March 18.
methodology
We started reviewing with a deep diving of the logic of the contract. We used static analysis tools including Wake to support review and manually induced the basic functions of the code in the code.
During the review, we paid special attention later.
- The contract cannot be stolen or not intended.
- Reinvision detection possible in the code;
- Integrated confirmation with other companies is accurate and safe.
- Common problems such as data verification.
range
The audit was performed in the next repository and is as follows.
- Hyper Lens Core Commit
425624; - Hyper Rent-Separation Commit
37c678; - Rooping contract (personal repository) commit
0fdde7; - Core-Corn Pig Engine Commit
0339f1; - Cross chain loan difficulty (personal repository) commit
43b101.
The modification review is performed in the following repository and is as follows.
- Hyper Lens Core Commit
625161; - Hyper Rent-Separation Commit
0b90ce; - Rooping contract (personal repository) commit
cb6fac; - Core-Corn Pig Engine Commit
4ff785; - Cross chain loan difficulty (personal repository) commit
38dc8a.
The third audit was performed in HyperLend-Core New Repository. 0c2b14. The range included all changes. src The directory compared to the original AAVE V3.2 codebase.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. wAnnings or menFormational Severe rating.
Our review has resulted in 44 results, from information to critical seriousness. The most serious discovery C1 had an important danger when all the mortgage tokens were stolen from the separate pool of the protocol. The core problem was originally reported in the context of the FRAXLEND V3 Codebase, so we used the incorrectly used price providers such as the new chain link. The problem could not be detected by performing derivative reviews without the context of the original codebase.
The result of C1, M1, M2, M7, M10, and L2 was discovered through a manual fujing using Wake Testing Framework. The results were found through Wake static analysis.
Threshold
C1: It does not go back to the price of an old chain link
The severity is high
H1: Possibility of locked tokens
Intermediate
M1: The wrong suggestion ID has been discharged
M2: Support for primitive tokens bridging has been missing
M3: Sending any token through unlimited refund function
M4: The wrong token balance check leads to the failure of the failure to be located.
M5: Divide before multiplication openPosition function
M6: missing payable Crystal
M7: minAmountOut The calculation is too limited
M8: Insectable token symbol form
M9: missing token verification for bridge start
M10: SafeERC20 Not used
M11: native transfer Returns to the outside of gas
M12: WalletBalanceProvider Basic token lock
M13: Chain Link Price Feed Verification has been missing
Low severity
L1: missing swap deadline protection
L2: Attempt/Catch can still be reversed
L3: A condition that is not satisfactory in the closing position with Flashloans
L4: The wrong error message
L5: missing the reception function for basic token processing
L6: missing queue transaction verification cancelTransaction
L7: You can wait several times the same deal
L8: You can bypass the default token recovery
Significance of warning
W1: The inspection has been missing to capture the underflow error
W2: Double List Suggested ID
W3: Case insensitive income
W4: Hardhat console revenue
W5: Unused state variables StrategyManager
W6: The zero address verification has been missing
W7: Lack of events
W8: missing proposal presence and missing validation
W9: Potential sound index CHAINLINK_NORMALIZATION calculate
W10: Balance token balance used to calculate debt value
Information seriousness
I1: Mistake of underlined under the internal function name
I2: Nominated for wrong variable due to typos
i3: Not used Ownable succession
I4: Insonquid visibility _reversePath function
i5: getUserAccountData When the token price is 0, the function is reversed
i6: getUserPairs Returns an array with an empty position
i7: Not used swapPath Parameters SwapParams structure
I8: Unused functions that are risk of potential data cutting
i9: Incorrect documentation
i10: The variable can be immutable
Trust model
The user must trust the hyper rend to keep the protocols or to operate the token price. Stargate GateWays must be trusted to communicate the message between the chain during the cross chain sediment.
conclusion
AcKee Blockchain Security
- Continue to tell you about the latest modifications for AAVE and FraxLend codebase. and
- List new tokens, guarantee the quality of price Oracle, and maintain the best security practices when monitoring the health of the protocol pool.
ACKEE BLOCKCHAIN Security’s entire hyper -repord audit report can be found here..