Solidity || Sui Move Security Researcher || Formal Verification || π§βπ» SR at @QuillAudits_AI || My opinions are personal
Joined October 2021
- Tweets 944
- Following 422
- Followers 358
- Likes 3,426
54 Photos and videos
Pro King π retweeted
Feb 21
3
6
51
3,698
May 31
HyperCore auditing checklist π§΅
markPx() vs oraclePx() vs spotPx() β donβt mix them up
These are three distinct price sources:
markPx: used for PnL, margin, and liquidations (risk engine price)
oraclePx: external/index price used in funding as input to mark price
spotPx: spot market last traded price (spot-only)
Key point: they are not interchangeable, and using the wrong one in risk or collateral logic leads to incorrect results.
// β Wrong
uint64 px = spotPx(perpIndex);
// β
Correct
uint64 mark = markPx(perpIndex); // perp risk / liquidation
uint64 oracle = oraclePx(perpIndex); // funding index reference
uint64 spot = spotPx(spotIndex); // spot markets only
β οΈ Common mistake: assuming markPx == oraclePx they can diverge during volatility because mark is derived from oracle market state.
1
13
365
Pro King π retweeted
May 5
If you want to understand Hyperliquid (HyperCore HyperEVM), this video by @0xjuaan is π₯
Also, his hyper-evm-lib makes things much easier to work with. Really enjoyed diving into it.
youtube.com/watch?v=ZESEkAKiβ¦
3
2
41
2,634
May 29
Thanks @MitchellAmador and @Ehsan1579 for such a great video.
Honestly, I really enjoyed watching this , a lot of valuable insights throughout π
Full Episode: youtu.be/BPkLUdMcPLY?si=eqT0β¦
3
177
May 29
HyperCore auditing checklist π§΅
tokenInfo().evmExtraWeiDecimals β Can be NEGATIVE
evmExtraWeiDecimals is an int8, not a uint.
A negative value (e.g. -2) means the EVM amount has fewer decimals than the spot amount.
Incorrectly assuming it is always positive can cause conversion logic to break by powers of 10, leading to incorrect accounting, pricing, or settlement calculations.
// β Wrong β breaks if value is negative
uint64 evmAmt = spotAmt * (10 ** ti.evmExtraWeiDecimals);
// β
Correct
int8 extra = ti.evmExtraWeiDecimals;
if (extra >= 0) {
evmAmt =
spotAmt *
uint64(10 ** uint8(extra));
} else {
evmAmt =
spotAmt /
uint64(10 ** uint8(-extra));
}
1
14
641
Pro King π retweeted
Apr 17
1
2
16
581
May 14
l1BlockNumber() β HyperCore block progression β EVM block.number π§΅
Do not use:
- block.number to reason about HyperCore state freshness.
- l1BlockNumber() for EVM ordering assumptions.
π
1
1
5
232
May 14
// β Wrong β EVM block, not Core block
require(block.number > lastChecked);
// β
Correct β HyperCore progression require( L1ReadLib.l1BlockNumber() > lastL1Checked );
1
93
May 13
If you find these HyperCore auditing checklists helpful, a retweet would be appreciated π€
HyperCore auditing checklist π§΅
position().szi β Negative value means SHORT position:
szi is an int64, not a uint64. A negative value represents a short position. Casting it directly to uint64 can silently wrap into a massive positive value and completely break accounting or risk logic.
// β Wrong β wraps if the position is short
uint64 size = uint64(pos.szi);
// β
Correct
bool isShort = pos.szi < 0;
uint64 size = uint64(pos.szi < 0 ? -pos.szi : pos.szi);
// remaining logic
2
1
18
629
May 12
I want to start sharing small Hyperliquid based protocols auditing checklists from time to time.
Especially things that can easily be missed while auditing Hyperliquid-based protocols.
Below are two important checks π
HyperCore auditing checklist π§΅
1. spotBalance() β total is NOT free balance:
total includes tokens currently locked in open orders.
Using it as spendable(bridgeable) balance can overestimate user funds.
// β Wrong
uint64 free = bal. total;
// β
Correct
uint64 free = bal. total - bal.hold;
1
4
34
1,265
May 12
2. userVaultEquity() β Equity can still be locked
UserVaultEquity includes lockedUntilTimestamp.
If equity is still locked, withdrawals are silently rejected by HyperCore without reverting the EVM tx.
// β Wrong
uint64 eq = equity.equity;
// β
Correct
require(
block.timestamp * 1000 > equity.lockedUntilTimestamp,
"equity locked"
);
uint64 eq = equity.equity;
6
242
May 6
Also worth mentioning β an excellent article by @chase_manning_ that breaks everything down very clearly. Highly recommended.
x.com/chase_manning_/status/β¦
May 5
If you want to understand Hyperliquid (HyperCore HyperEVM), this video by @0xjuaan is π₯
Also, his hyper-evm-lib makes things much easier to work with. Really enjoyed diving into it.
youtube.com/watch?v=ZESEkAKiβ¦
1
200
May 5
If you want to understand Hyperliquid (HyperCore HyperEVM), this video by @0xjuaan is π₯
Also, his hyper-evm-lib makes things much easier to work with. Really enjoyed diving into it.
youtube.com/watch?v=ZESEkAKiβ¦
3
2
41
2,634
May 4
In audits, verifying fixes is critical work. It carries real responsibility β sometimes even more than finding the original bug.
2
147
Apr 15
No response from the protocol team till nowπ§
Apr 13
Made the most of the weekend alongside my work, I discovered a bug in a protocol with ~$38M TVL thatβs integrated by several other protocols.
Since they don't have bug bounty program on Immunefi or elsewhere, I submitted the report via email.
Letβs see what happens.
315
Apr 13
Made the most of the weekend alongside my work, I discovered a bug in a protocol with ~$38M TVL thatβs integrated by several other protocols.
Since they don't have bug bounty program on Immunefi or elsewhere, I submitted the report via email.
Letβs see what happens.
3
32
1,767