EIP-712 domain separator missing chainId

Across Protocol's assessment for RD-F-020 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The Feb 2026 Deposit Flow audit identified an EIP-712 replay vulnerability in CounterfactualDepositSpokePool where the signed struct (`EXECUTE_DEPOSIT_TYPEHASH`) excludes route-specific fields but the domain separator is not the issue — the issue is in the struct payload binding, not the domain separator itself. The domain separator in standard OZ EIP-712 does include chainId. The unresolved medium is about struct-level replay (same signature reusable across routes), not missing chainId in do...

Sources #

URL
https://www.openzeppelin.com/news/deposit-flow-auditretrieved 2026-04-28

Methodology #

Determine whether the EIP-712 domain separator struct omits the `chainId` field, allowing cross-chain replay.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol across-protocol factor RD-F-020 score green collected_at 2026-04-30 21:19:18