★ Bridge ecrecover checks result ≠ address(0)
Cap (cUSD / stcUSD)'s assessment for RD-F-151 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Cap uses LayerZero v2 OFT protocol (OFTAdapterUpgradeable from @layerzerolabs/oft-evm-upgradeable). LayerZero v2 uses DVN attestation + lzReceive pattern, not ecrecover-based validator signatures. The Wormhole-class ecrecover zero-address check vulnerability does not apply to LayerZero v2 architecture.
Sources #
- GitHubOFTLockboxUpgradeable.sol — LayerZero v2 confirmed; ecrecover not applicableOFTLockboxUpgradeable.sol: imports OFTAdapterUpgradeable from @layerzerolabs/oft-evm-upgradeable (v2 package); ConfigureOApp.s.sol references ILayerZeroEndpointV2 and ULN302 — confirming v2retrieved 2026-05-17
- ConfigureOApp.s.sol — LayerZero v2 endpoint confirmedConfigureOApp.s.sol: references ILayerZeroEndpointV2, sendUln302, receiveUln302 — v2 ULN architecture confirmedretrieved 2026-05-17
Methodology #
Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol cap factor RD-F-151 score not_applicable collected_at 2026-05-17 10:56:24