defirisk.co
rubric v1.7.0

ecrecover zero-address return unchecked

GMX v2 (GMX Synthetics)'s assessment for RD-F-019 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

RelayUtils.sol (gasless relay) uses ECDSA.tryRecover() from OZ rather than raw ecrecover(). tryRecover returns (address, RecoverError) and the implementation validates the error state before using the recovered address. No raw ecrecover usage found in reviewed contracts. address(0) vulnerability is mitigated.

Sources #

  • GitHub
    GMX RelayUtils.solRelayUtils.sol - ECDSA.tryRecover with error validation, not raw ecrecoverretrieved 2026-05-05

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol gmx-v2 factor RD-F-019 score green collected_at 2026-05-05 11:15:06