> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hyperlane.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Update Mailbox Default ISM

> Learn how to update your mailbox default ISM using the Hyperlane CLI for production deployments

## Using the Hyperlane CLI

When first deploying with the CLI, a new mailbox uses a Trusted Relayer ISM out of the box so you don't need to run a relayer or validator.

In order to go to production, you'll need to remove this ISM with the Hyperlane CLI.

## Prerequisites

* The core config generated by `hyperlane core init`.
  * This config is used to deploy core contracts, including the mailbox. By default, it takes the filepath of `CURRENT_DIR/configs/core-config.yaml`.
* The chain that the mailbox was deployed to.
* Access to the private key that currently owns the mailbox.

<Note>
  If you followed the [How to Connect Your Chain with
  Hyperlane](/docs/guides/chains/deploy-hyperlane) guide, you may have deployed
  a mailbox with the owner set to the single private key. In production, it is
  advisable to use a multisig.
</Note>

To confirm using the Hyperlane CLI, execute the following with `--chain` set to the name of your chain that the mailbox is deployed on:

```bash theme={null}
hyperlane core read --chain <yourChain>
```

After running `core read`, you should see a similar config with `owner` set to private key's address:

```yaml {4-7} theme={null}
defaultHook:
  address: "0xC2E88eC0aB5FDB9756CD3EFEE40D24120fFa6E57"
  type: "merkleTreeHook"
defaultIsm:
  address: "0xF37395A79f56268FD0040E1f5711e9Af974a545A"
  relayer: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
  type: "trustedRelayerIsm"
owner: "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"
requiredHook:
  address: "0x390d29a822C21F57B163F1173cD43382bd643401"
  beneficiary: "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"
  maxProtocolFee: "100000000000000000"
  owner: "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266"
  protocolFee: "0"
  type: "protocolFee"
```

The output is saved to `CURRENT_DIR/configs/core-config.yaml`.

This particular config has a `trustedRelayerIsm`. This means contracts (e.g., Hyperlane Warp Route) that fallback to the mailbox's `defaultIsm` will give permission to `relayer` address to execute arbitrary messages. This may be undesirable in cases outside of the self-relaying feature.

Follow these steps using the CLI to update the existing default Ism to a different configuration.

## Step 1: Update Configuration

Alternatively, you can update the `relayer` address to something else (e.g., "burn" it by setting it to an inaccessible address).

```diff core-config.yaml theme={null}
defaultHook:
  address: "0xC2E88eC0aB5FDB9756CD3EFEE40D24120fFa6E57"
  type: merkleTreeHook
defaultIsm:
  address: "0xF37395A79f56268FD0040E1f5711e9Af974a545A"
- relayer: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
+ relayer: "0x0000000000000000000000000000000000000001"
  type: trustedRelayerIsm
owner: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
requiredHook:
  address: "0x4f54055C94DCbC2b502146D46909A2cC7461c5D8"
  beneficiary: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
  maxProtocolFee: "100000000000000000"
  owner: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
  protocolFee: "0"
  type: protocolFee
```

Alternatively, you can update the `defaultIsm` config to a different ISM config. As shown, it is updated to a `messageIdMultisigIsm`.

<Warning>
  Configuring ISMs is an advanced feature that require knowledge of different
  ISM types and how they work together topologically.
</Warning>

```diff core-config.yaml theme={null}
defaultHook:
  address: "0xC2E88eC0aB5FDB9756CD3EFEE40D24120fFa6E57"
  type: merkleTreeHook
defaultIsm:
- address: "0xF37395A79f56268FD0040E1f5711e9Af974a545A"
- relayer: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
- type: trustedRelayerIsm
+ threshold: 1
+ type: messageIdMultisigIsm
+ validators:
+  - "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
owner: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
requiredHook:
  address: "0x4f54055C94DCbC2b502146D46909A2cC7461c5D8"
  beneficiary: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
  maxProtocolFee: "100000000000000000"
  owner: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
  protocolFee: "0"
  type: protocolFee
```

## Step 2: Apply

Using the CLI, execute:

```bash theme={null}
hyperlane core apply --chain <yourChain>
```

You should see a batch of transactions executed on chain, and a final message indicating that the mailbox has been updated.

## Step 3: Confirm

To confirm using the Hyperlane CLI, execute the following:

```bash theme={null}
hyperlane core read --chain <yourChain>
```

After running `core read`, you should see a similar config with the now updated default ISM:

```yaml {6} theme={null}
defaultHook:
  address: "0x67F8c06Fd2915728E9D21451E33FbDFbCcd63c44"
  type: "merkleTreeHook"
defaultIsm:
  address: "0xac7D6df90fa937ADEfE7aD2d4905f0AEa170c467"
  relayer: "0x0000000000000000000000000000000000000001"
  type: "trustedRelayerIsm"
owner: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
requiredHook:
  address: "0x1Cd94b4D9B5f0e3474a6bDB8b9503Ca84F53e548"
  beneficiary: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
  maxProtocolFee: "100000000000000000"
  owner: "0xa5558cA30cd9952Ab0e2349C274a3736698bD60e"
  protocolFee: "0"
  type: "protocolFee"
```

By completing these steps, you've successfully updated the mailbox default ISM and enhanced the security of your mailbox. Your mailbox is now ready for production use.