ecrecover zero-address return unchecked

Cap (cUSD / stcUSD)'s assessment for RD-F-019 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No raw ecrecover calls without address(0) guard found. OFTPermit.sol and L2TokenUpgradeable.sol inherit ERC20Permit from OpenZeppelin v5.2.0, which uses ECDSA.recover internally with proper zero-address handling. OFTPermit.sol also has an explicit check: if (_to == address(0x0)) _to = address(0xdead).

Sources #

GitHub
OFTPermit.sol — ecrecover Analysiscontracts/token/OFTPermit.sol — inherits ERC20Permit (OZ ECDSA), zero-address check in _credit functionretrieved 2026-05-17

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-019 score green collected_at 2026-05-17 10:56:24