ecrecover zero-address return unchecked

deBridge's assessment for RD-F-019 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

SignatureVerifier.sol uses `ecrecover(_submissionId.getUnsignedMsg(), v, r, s)` and then checks `if (getOracleInfo[oracle].isValid)` without an explicit `oracle != address(0)` guard before the validity check. If address(0) were ever registered as a valid oracle (unlikely in a correctly-operated system, but a residual risk), invalid signatures would produce a false positive. The `submissionId` includes chainId-specific data making cross-chain replay moot, but the zero-address check is absent. ...

Sources #

GitHub
https://github.com/debridge-finance/debridge-contracts-v1/blob/main/contracts/transfers/SignatureVerifier.solretrieved 2026-04-28

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-019 score yellow collected_at 2026-04-28 01:27:58