Hyperliquid Security Checklist for Builders: HyperBFT, HyperCore, HyperEVM Risks Before Mainnet

TL;DR, the Hyperliquid security checklist builders should clear before mainnet

1. Consensus assumptions are explicit: your protocol documents what a HyperBFT halt, validator liveness issue, or RPC outage does to user flows.
2. HyperCore dependencies are mapped: every balance, order, liquidation, vault, or token dependency coming from HyperCore is listed as a trust assumption, not treated like local EVM state.
3. HyperEVM timing is tested: your team validates whether logic depends on small block cadence, large block cadence, or deployment specific big block settings.
4. Bridging and transfer paths are reviewed: token movement between HyperCore and HyperEVM, plus any external bridge path, is tested against wrong address, wrong asset, and delayed settlement cases.
5. Precompiles and reads are hardened: every HyperCore read path fails safely when data is stale, missing, or shaped differently than your contract expects.
6. Liquidation and oracle logic is bounded: your app survives bad market conditions even when HyperCore state moves faster than your frontend or offchain automation.
7. Audit readiness is real: architecture docs, deployment plan, threat model, and integration assumptions are frozen before mainnet review.

Why this query matters now

The core mental model, HyperBFT secures ordering, HyperCore owns exchange state, HyperEVM hosts your contracts

• HyperBFT gives you shared ordering and finality assumptions.
• HyperCore is the source of truth for exchange native state, such as spot balances, order books, liquidations, and protocol managed market behavior.
• HyperEVM is where your contracts live, but not where the full market truth originates.

Hyperliquid security checklist, 4 domains to clear before mainnet

1. HyperBFT and chain level assumptions

1.1 Document what happens if the chain slows, halts, or degrades

• Define whether users can cancel, pause, redeem, or unwind if Hyperliquid RPC access is degraded.
• Identify every keeper, backend, or frontend path that depends on fresh Hyperliquid data.
• Decide which functions should pause versus continue in degraded chain conditions.
• Confirm that guardian or admin actions do not rely on the same failing infrastructure path as user actions.

1.2 Separate finality confidence from operational availability

• Run incident drills where reads fail but contracts remain deployed and correct.
• Verify that alerting covers RPC errors, stale reads, sequenced but unobserved events, and delayed operator action.
• Make sure user messaging explains whether funds are locked, delayed, or still safe.

2. HyperCore trust boundaries

2.1 List every place your protocol depends on HyperCore state

• Inventory all reads that originate from HyperCore, including balances, positions, fills, vault state, and market metadata.
• Mark whether each dependency is used for pricing, permissions, accounting, settlement, or UX only.
• Decide which reads are advisory and which ones are safety critical.
• Add explicit fallback behavior for missing or delayed HyperCore reads.

2.2 Review liquidation and margin adjacency carefully

• Model what happens if collateral value changes sharply between a read and an action.
• Review whether user vault logic can be sandwiched by market moves, liquidations, or delayed automation.
• Bound leverage, batch size, and execution assumptions around fast moving exchange conditions.
• Verify that liquidation related state cannot silently break accounting invariants in your contract.

2.3 Treat HIP 1 and ERC 20 paths as different systems

• Document which asset representation each function expects.
• Verify conversion, transfer, and user messaging flows between HyperCore and HyperEVM.
• Test wrong asset index, wrong system address, and wrong decimals cases.
• Confirm that spot slot or token configuration mistakes cannot trap user funds in the happy path.

3. HyperEVM execution and deployment risks

3.1 Respect the dual block model when designing user flows

• Test deployment scripts with the exact big block settings required for production.
• Confirm frontends do not promise timing guarantees tighter than the chain can deliver.
• Audit multi step flows that assume immediate follow up state after deployment or configuration changes.
• Rehearse redeploy and rollback procedures if a large block deployment partially succeeds.

3.2 Harden precompile reads and contract assumptions

• Validate decoding assumptions for every precompile response.
• Decide how your contract behaves if a read fails, returns zero, or returns data outside expected bounds.
• Make sure externalized read assumptions are mirrored in tests and spec docs.
• Keep authorization logic independent from brittle external data whenever possible.

3.3 Do not import standard EVM playbooks without adaptation

• Re evaluate oracle, bridge, and settlement assumptions for Hyperliquid specific flows.
• Review whether your protocol needs extra monitoring around market state changes that do not exist on a normal app chain.
• Test governance and admin procedures against chain specific deployment and funding requirements.

4. Oracle, bridge, and integration edge cases

4.1 Bridge dependencies deserve first class threat modeling

• Enumerate every bridge, relayer, and external token representation in your flow.
• Define what the app does if a bridge pauses, a relayer delays, or wrapped supply drifts from expected state.
• Add caps and circuit breakers for newly bridged assets before they reach large TVL.
• Keep emergency withdrawal logic simple and tested.

4.2 Oracle assumptions must be tied to liquidation speed

• Map all price inputs used for collateral, health factors, fees, and liquidations.
• Define max staleness for each price path.
• Test divergent prices, delayed updates, and abrupt gaps.
• Verify that fallback logic cannot be manipulated into a better price path.

A short pre audit readiness checklist for HyperEVM teams

• A one page architecture note showing HyperBFT, HyperCore, HyperEVM, offchain services, and user fund flows.
• A list of every HyperCore dependency, precompile use, and bridge dependency.
• Deployment runbooks for mainnet, including gas funding, big block requirements, and rollback steps.
• Tests that cover stale reads, failed reads, delayed automation, and wrong asset mapping.
• Admin and guardian procedures that work during chain stress.
• A clear statement of what is out of scope, especially if your contracts depend on exchange native behavior you do not control.

The integration mistakes we see most often

1. Treating HyperCore like local app state, then using it for accounting decisions without failure bounds.
2. Ignoring deployment cadence, especially when contracts or setup actions depend on large block behavior.
3. Blurring HIP 1 and ERC 20 asset paths, which creates token mapping and user fund handling errors.
4. Assuming fast finality removes operational risk, even though keepers, frontends, and RPCs can still fail.
5. Starting the audit with no system diagram, which forces auditors to reverse engineer integration assumptions instead of reviewing protocol risk first.

When to move from checklist to audit

• You read HyperCore state to make safety critical decisions.
• You combine user deposits with trading, vault, liquidation, or collateral logic.
• You depend on token transfers between HyperCore and HyperEVM.
• You need confidence that deployment and rollback procedures are safe under mainnet conditions.
• You already know the architecture, but you are no longer sure the trust boundary is scoped correctly.

Final takeaway, the real Hyperliquid checklist is about boundaries

FAQ, Hyperliquid security checklist