ecrecover zero-address return unchecked

Falcon Finance's assessment for RD-F-019 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

USDf uses OZ ERC20PermitUpgradeable which uses OZ ECDSA.recover() — safe wrapper. No ecrecover finding in Zellic audit. Etherscan dep listing confirms OZ upgradeable pattern.

Detail #

USDf implementation imports ERC20PermitUpgradeable and EIP712Upgradeable from OZ (confirmed from Etherscan dependency listing). OZ's ECDSA library uses safe wrappers around ecrecover that handle zero-address returns. Zellic found no ecrecover-related finding. No evidence of raw ecrecover calls in the audited scope. Confidence medium because post-TGE contracts are not inspected.

Sources #

Etherscan
USDf Implementation — Etherscan dependency listingUSDf impl dependency: ERC20PermitUpgradeable + EIP712Upgradeable (OZ safe ECDSA)retrieved 2026-05-12
Audit
Zellic Falcon Finance AuditZellic: no ecrecover-related finding in audit scoperetrieved 2026-05-12

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol falcon-finance factor RD-F-019 score green collected_at 2026-05-12 04:06:37