three sigma logo
Hyperwave

Code Audit

Hyperwave

A Hyperliquid-native DeFi super-app vault tokenizing HLP for instant liquidity, yield, composability.

Severity Issues

critical
high

0

informational

1

medium

0

low

0

Audit Period

1 Day

Report

Introduction

HyperliquidForwarder is a minimal bridge-forwarding contract intended to assist ERC-20 transfers from HyperEVM to HyperCore via a two-step process. The contract maintains a mapping from token IDs to designated bridge addresses and enforces basic safety checks so only supported tokens and correct bridge endpoints are used. Intended tokens include Hyperliquid’s ecosystem assets such as USDT0 and USDE.

Scope of the Engagement

Three Sigma conducted a focused audit of HyperliquidForwarder on 10 Jun 2025.

The review covered 59 non-comment, non-blank lines across a single Solidity file:

  • src/HyperliquidForwarder.sol (59)

Auditors: 2

Effort: 0.4 person-weeks

Primary objectives:

  • Validate the forwarding flow and ensure token/bridge allowlisting cannot be bypassed.
  • Check administrative controls (only-owner/only-role) for mapping updates.
  • Verify ERC-20 transfer/approval handling and event hygiene.
  • Look for obvious reentrancy, input validation, and misrouting risks.

Challenges in Securing Bridge Forwarders

Allowlist Correctness

Forwarders must strictly gate which token IDs can be bridged and to which destination contracts, preventing confused-deputy style misroutes.

Minimal Surface, Max Signal

With tiny contracts, a single visibility or validation mistake can become a systemic footgun across multiple tokens.

Token Semantics

Fee-on-transfer tokens, non-standard decimals, or transfer returns can break naive forwarding logic if not handled defensively.

Ops Hygiene

Clear events and tight admin APIs reduce the chance of misconfiguration during live operations.

Audit Date: 2025-06-10

Language: Solidity

Type: Code Audit

Results and Findings

Key Critical Issues

No critical issues were identified.

Notable High-Severity Issues

No high-severity issues were identified.

Notable Medium-Severity Issues

No medium-severity issues were identified.

Notable Low-Severity Issues

No low-severity issues were identified.

Informational / Suggestions

Make addTokenIDToBridgeMapping external to reduce gas

Description

HyperliquidForwarder::addTokenIDToBridgeMapping is intended for external administration but is declared public. Using public introduces unnecessary memory copying (calldata→memory), slightly increasing gas.

Recommendation

Change visibility to external to avoid the copy and reduce gas for admin calls.

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

In conclusion

Impact of the Audit

The audit confirmed the forwarder’s narrow attack surface and identified a minor gas optimization without security impact. Administrative routes are clearly defined, and the mapping model is straightforward, reducing the chance of misconfiguration. With the suggested visibility change merged, HyperliquidForwarder maintains its minimal, purpose-built profile for bridging orchestration.

Three Sigma’s Value

Even compact contracts benefit from a second pair of eyes. Our Bridge audit emphasized authorization clarity, mapping integrity, and operational ergonomics, the practical edges where production incidents originate. If you’re building bridge adapters, routers, or custodial shims, we can help you keep them minimal, auditable, and safe.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.