Rip

Introduction

rHYPURR is a tokenized ERC-4626 vault with ERC-7540 asynchronous deposit and redemption capabilities, deployed on HyperEVM (Hyperliquid's EVM sidechain). The protocol fractionalizes exposure to the Hypurr NFT collection and HYPE treasury reserves, allowing users to deposit HYPE and receive rHYPURR shares representing proportional ownership of the underlying assets.

The system operates on an epoch-based model: users queue deposit or redemption requests during a given epoch, an oracle bot submits a signed NAV (Net Asset Value) report to finalize the epoch, and then the oracle processes the queued requests at the snapshotted price. Liquid HYPE beyond a configurable threshold is automatically swept to a Treasury Manager (Fordefi MPC wallet) that holds Hypurr NFTs and deploys capital off-chain.

Key Protocol Roles

Depositors: Provide HYPE (native or wrapped) to receive rHYPURR shares representing fractional vault ownership. Oracle Bot: Calculates off-chain NAV from liquid HYPE and NFT valuations, submits signed reports, and processes deposit/redemption queues. Treasury Manager: Fordefi MPC wallet holding Hypurr NFTs and excess HYPE; executes NFT trades and manages capital deployment. Treasury Role: Configures fees, reserves redemption liquidity, and manages sweep parameters.

Scope of the Engagement

Three Sigma executed a focused audit of the rHYPURR vault contract between 25 January 2026 and 27 January 2026.

The review covered 699 non-comment, non-blank lines of Solidity across the core vault contract, including deposit/redemption queues, NAV submission and validation, liquidity sweep logic, fee collection, and UUPS upgrade controls.

The primary objectives were to:

Validate the asynchronous deposit and redemption lifecycle, including epoch tagging, FIFO queue processing, and partial redemption handling. Stress-test NAV oracle trust boundaries: signature verification, drift capping, staleness circuit breakers, and expiry enforcement. Assess liquidity management flows: auto-sweep thresholds, reserved redemption liquidity accounting, and vault-to-Treasury-Manager transfers. Review fee collection timing and configuration to ensure consistency between request and processing phases. Verify access control boundaries across Oracle, Treasury, Admin, and Upgrader roles.

Challenges in Securing an Async Vault on HyperEVM

Asynchronous Deposit and Redemption Lifecycle

ERC-7540 async flows split user actions across multiple transactions and epochs. Deposits lock HYPE at request time but mint shares later at a snapshotted NAV; redemptions lock shares and pay out HYPE in a subsequent epoch. Partial redemptions add further complexity by allowing requests to roll across epochs, blocking the FIFO queue until fully settled. Any mismatch in state transitions, queue advancement, or epoch tagging risks stuck funds or unfair settlement (M-01, N-02).

NAV Oracle Trust Boundaries

The vault delegates pricing entirely to an off-chain oracle that signs NAV reports. On-chain validation must enforce signature authenticity (EIP-712 with EIP-1271 fallback), drift caps to limit per-epoch NAV movement, expiry windows, and staleness circuit breakers. Failure in any of these checks could let a compromised or stale oracle manipulate share pricing on deposits or redemptions.

Liquidity Management and Sweep Accounting

The vault automatically sweeps excess HYPE to the Treasury Manager while reserving funds for pending redemptions. Two independent counters (liquiditySweepThreshold and reservedRedemptionLiquidity) protect different pools of capital from being swept. If these counters fall out of sync with actual vault balances, the sweep mechanism either locks funds unnecessarily or fails to protect reserved liquidity (M-01, L-01).

Results and Findings

Notable Medium-Severity Issue

Reserved Redemption Liquidity Accounting Requires Manual Adjustment After Processing

Description: The processRedemptions function transferred HYPE to users but did not decrement reservedRedemptionLiquidity. The counter remained inflated after payouts, causing the sweep mechanism to over-protect funds that had already left the vault. The Treasury role had to manually call releaseRedemptionLiquidity to correct the accounting after every batch of redemptions.

Impact: Medium (Bug) - Status: Addressed in #2d0823d. Resolution: Automatically reduce reservedRedemptionLiquidity by the total payout amount (clamped to the current reserved balance) at the end of processRedemptions, eliminating the need for manual correction.

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security. Get a Quote Today

In conclusion

The engagement identified and resolved an accounting desync in redemption liquidity tracking that reduced capital efficiency, closed a fee-timing gap that exposed users to rate changes and caused processing reverts, and clarified sweep behavior under edge-case configurations. The audit also prompted the addition of a request cancellation mechanism, giving users a way to reclaim funds from the async queue before processing. With these remediations, rHYPURR's asynchronous vault entered deployment with accurate liquidity accounting, predictable fee behavior, and a more complete user-facing lifecycle.

Three Sigma's Value

Our review targeted the interaction between async ERC-7540 flows and real-time liquidity management, two systems that must stay synchronized despite operating on different timelines. We traced value through the full deposit-to-sweep-to-redemption cycle, uncovering accounting gaps that only manifest when reserved liquidity, fee collection, and automatic sweeps interact under specific sequencing. By fixing these timing-dependent issues and hardening the epoch-based settlement model, we helped rHYPURR ship a vault that correctly tracks every unit of HYPE across its on-chain and off-chain components.

We specialize in auditing async vault architectures and oracle-dependent DeFi protocols. If your project combines ERC-7540 flows, off-chain NAV pricing, or multi-party liquidity management, we can help identify the sequencing and accounting vulnerabilities that surface only under real operational conditions. Contact us to discuss securing your vault and protecting your users' capital.