Hyperliquid Security Checklist for Builders: HyperBFT, HyperCore, HyperEVM

TL;DR, the Hyperliquid launch checks that matter

1. HyperBFT, the consensus layer that finalizes the shared L1 block order.
2. HyperCore, the exchange engine that owns order books, margin, vaults, funding, liquidations, and native spot state.
3. HyperEVM, the smart contract environment that inherits HyperBFT finality but does not magically control every HyperCore failure mode.

Why Hyperliquid security is not just EVM security

• HyperEVM uses HYPE as the native gas token.
• HyperEVM currently interacts through JSON RPC, not an official EVM frontend.
• HyperEVM uses a dual block architecture with fast small blocks and slower large blocks.
• HyperCore to HyperEVM transfers use system addresses and token linking.
• Core to EVM transfer behavior depends on linked ERC20 contracts, emitted events, decimals, and system balances.

The three trust boundaries builders misread

1. HyperBFT, finality is not the same as application safety

• Can the protocol tolerate a chain halt or delayed finality without trapping user funds in an unsafe state?
• Does the UI clearly distinguish pending, submitted, finalized, and failed actions?
• Are keepers, market makers, and liquidation bots designed to pause safely if RPC data stalls?
• Does the incident plan cover validator level censorship, RPC disagreement, and delayed execution?
• Are contracts written so retries are idempotent when an offchain executor submits the same intent twice?

2. HyperCore, the exchange engine is part of your risk surface

• If your app reads HyperCore state, what exact state does it trust, and how stale can it be?
• If users can open or close positions through your interface, who signs the order, who relays it, and what can be replayed?
• If your protocol depends on liquidations, can a delayed or failed liquidation create bad debt or unfair withdrawals?
• If you use vault, margin, or position data, have you modeled correlated liquidation cascades instead of isolated position failure?
• If you run keepers, are they rate limited, monitored, and able to degrade safely under volatile markets?

3. HyperEVM, EVM compatibility does not mean Ethereum equivalence

• Does the contract depend on block timing assumptions that break under small block and large block scheduling?
• Does deployment tooling correctly handle large contracts and the big block user flag when needed?
• Does the protocol assume websocket JSON RPC support where the official RPC path may not provide it?
• Does gas pricing logic account for HyperEVM fee behavior, including burned priority fees?
• Do tests run against HyperEVM specific chain IDs, native HYPE behavior, and RPC quirks?

Launch blocking checklist by risk area

Order flow and signing

• Define every signer role, including user wallets, API wallets, relayers, keepers, admin keys, and backend services.
• Validate EIP 712 domain separation and chain ID usage wherever typed data is signed.
• Prevent replay across testnet, mainnet, staging, and internal tools.
• Bind orders to explicit market, side, size, price, expiry, slippage, destination, and user intent.
• Make cancellation semantics visible and testable.
• Simulate duplicate submissions, delayed submissions, and partial failure.
• Log signed payload hashes so incident response can reconstruct what users authorized.

Liquidation logic and solvency

• Model price gaps, funding jumps, oracle stalls, and liquidity cliffs.
• Test whether liquidation keepers compete safely or can grief each other.
• Define who absorbs bad debt when a position cannot be liquidated in time.
• Verify withdrawals cannot drain healthy collateral while unhealthy positions remain hidden.
• Add circuit breakers for abnormal market states.
• Measure liquidation latency from signal to signed action to confirmed state.
• Run chaos tests where keepers stop, RPCs disagree, or markets move while transactions wait.

Oracle and market data assumptions

• Identify whether each price comes from HyperCore, an external oracle, your backend, or a blended source.
• Define stale price thresholds for every market.
• Decide what happens when spot, perp, mark, index, and external prices disagree.
• Test low liquidity markets separately from majors.
• Prevent a single manipulated market from poisoning collateral valuation across the system.
• Treat websocket streams as advisory unless confirmed by deterministic reads.
• Record price source, timestamp, and confidence in critical state transitions.

HyperCore to HyperEVM asset movement

• Verify every linked ERC20 bytecode and implementation before supporting it.
• Confirm system addresses and token indexes match the intended asset.
• Check decimals and any extra EVM wei decimal configuration.
• Test non round amounts and dust behavior.
• Do not assume ERC20 validity, supply sufficiency, or fungibility without verification.
• Confirm Core to EVM transfer gas assumptions in user flows.
• Monitor Transfer events and system address balances for anomalies.
• Treat token linking as a privileged operation with its own runbook and approvals.

Bridge and external dependency risk

• Map every external bridge, RPC, indexer, custody service, oracle, signer, dashboard, notification service, and admin panel.
• Decide which dependencies can block withdrawals or liquidations.
• Add fallback RPC providers where safe, but avoid silent provider disagreement.
• Validate bridge asset provenance and canonical addresses.
• Separate monitoring credentials from trading or admin credentials.
• Write a manual recovery path for each dependency that can fail.

Common integration mistakes from docs to mainnet

Mistake 1, copying EVM deployment playbooks without HyperEVM checks

• Add HyperEVM mainnet and testnet profiles.
• Test small and large deployment flows.
• Verify explorer, monitoring, and verification support before launch.
• Dry run admin actions with production style wallets.

Mistake 2, treating exchange state as if it were contract storage

• Document every Core read and who consumes it.
• Compare API, websocket, and contract side views in tests.
• Add stale data guards and explicit user warnings.
• Pause risky actions when state freshness cannot be proven.

Mistake 3, making the backend the hidden custodian

• Minimize backend authority.
• Put every relayed action behind user signed intent.
• Use scoped API wallets and strict withdrawal limitations.
• Log all privileged actions with tamper resistant audit trails.

Mistake 4, launching with testnet confidence but no mainnet stress model

• Run scenario tests with mainnet like liquidity assumptions.
• Stress withdrawal queues, liquidation queues, and stale data windows.
• Add kill switches that are narrow, documented, and tested.
• Publish user facing risk disclosures for unsupported edge cases.

Pre audit readiness checklist for HyperEVM teams

Architecture artifacts

• One diagram showing HyperBFT, HyperCore, HyperEVM, offchain services, signers, keepers, and users.
• A table of trust boundaries and which component is allowed to move funds.
• A list of all external dependencies and fallback behavior.
• A clear statement of what is in scope and what is explicitly out of scope.

Code and deployment artifacts

• Frozen commit hash.
• Deployment scripts and chain configuration.
• Admin key list and multisig policy.
• Upgrade process, if any.
• Emergency pause process, including who can unpause.

Economic and operational artifacts

• Liquidation assumptions.
• Oracle and pricing assumptions.
• Funding, fee, and collateral logic.
• Keeper architecture.
• Bad debt handling.
• Monitoring and alerting rules.

Test evidence

• Unit tests for access control, accounting, and edge cases.
• Integration tests against HyperEVM testnet or forked simulations where possible.
• Scenario tests for stale data, delayed execution, duplicate submissions, and failed keepers.
• Invariant tests for solvency and accounting.
• Manual runbooks for bridge, oracle, and liquidation incidents.

A practical Hyperliquid audit scope

1. User intent and signing.
2. Frontend and backend relay behavior.
3. HyperCore reads and writes.
4. HyperEVM contract logic.
5. Token linking and asset movement.
6. Liquidation and oracle assumptions.
7. Keeper operations.
8. Admin controls and incident response.

Final checklist before mainnet

• Every signer role is documented and least privilege.
• Every signed payload has domain separation, expiry, and replay protection.
• Every HyperCore dependency has a stale data rule.
• Every HyperEVM assumption has a testnet or simulation result.
• Every oracle path has a failure mode and pause condition.
• Every liquidation path has a latency and bad debt model.
• Every linked asset has bytecode, decimals, supply, and system address verification.
• Every bridge or external dependency has a fallback plan.
• Every admin action has multisig, logging, and a runbook.
• Every user facing risk is visible before funds move.

Conclusion