ecrecover zero-address return unchecked
Axelar Network's assessment for RD-F-019 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
The axelar-gmp-sdk-solidity ECDSA library explicitly checks: if (signer == address(0)) revert InvalidSignature(); after calling ecrecover. AxelarAuthWeighted uses ECDSA.recover() which includes this guard. The Wormhole-class vulnerability (unchecked ecrecover return) is explicitly mitigated.
Sources #
- GitHubaxelar-gmp-sdk-solidity ECDSA.sol - address(0) checkECDSA.sol lines confirming: if (signer == address(0)) revert InvalidSignature()retrieved 2026-05-17
- AxelarAuthWeighted.sol - ECDSA.recover usageAxelarAuthWeighted.sol using ECDSA.recover() - inherits the address(0) guardretrieved 2026-05-17
Methodology #
Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol axelar factor RD-F-019 score green collected_at 2026-05-16 21:57:49