defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Ethena's assessment for RD-F-151 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Ethena uses LayerZero OFT standard (not a custom bridge with bespoke ecrecover logic). LayerZero V2 uses a DVN-based message verification scheme that does not rely on raw ecrecover in user-visible contracts. Ethena itself does not implement custom signature verification — it delegates entirely to LayerZero. The Wormhole-class F151 bug requires a protocol that directly calls ecrecover without zero-address check. No such pattern identified in Ethena OFT adapter code. Risk is inherited from LayerZero V2 (separately audited by multiple firms, no ecrecover zero-address bug reported). Cannot fully verify LayerZero's internal verification path from available sources.

Sources #

  • GitHub
    https://github.com/code-423n4/2023-10-ethenaretrieved 2026-04-28
  • Docs
    https://docs.layerzero.network/v2/deployments/evm-chains/ethereum-mainnet-oft-quickstartretrieved 2026-04-28

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ethena factor RD-F-151 score gray collected_at 2026-04-28 13:58:51