defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Curve Finance's assessment for RD-F-151 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] N/A for LayerZero V2 architecture. LayerZero V2 does not use ecrecover for message validation. DVN attestation model uses structured verification to LayerZero Endpoint V2 with peer-address matching (setPeer), not raw ECDSA signature recovery where ecrecover could return address(0). The Wormhole-class ecrecover bug is specific to bridges that use raw signature recovery for validator approval — LayerZero V2 DVN model does not have this vulnerability pattern.

Sources #

  • URL
    LayerZero V2 WhitepaperLayerZero V2 whitepaper V2.1.1 — DVN verification model, peer-address matching, not ecrecoverretrieved 2026-04-28

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-151 score not_applicable collected_at 2026-04-28 19:48:40