★ Bridge ecrecover checks result ≠ address(0)
Hyperlane's assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL] GREEN. AbstractMultisigIsm.sol uses ECDSA.recover() from OpenZeppelin 4.9.3 (confirmed via foundry.toml). OZ 4.9.x ECDSA.recover() calls tryRecover() internally; if ecrecover returns address(0), tryRecover() returns RecoverError.InvalidSignature, and _throwError() reverts with ECDSAInvalidSignature(). Zero-address explicitly rejected. Additionally, even if address(0) were silently returned, the validator-matching loop (_signer != _validators[_validatorIndex]) would exhaust all validators and revert with !threshold. Double protection against zero-address ecrecover.
Sources #
- GitHubAbstractMultisigIsm.sol — ECDSA.recover usageAbstractMultisigIsm.sol verify() — uses ECDSA.recover(_digest, signatureAt(_metadata, i)); OZ 4.9.3 confirmedretrieved 2026-05-17
- OZ ECDSA.sol — zero-address guard confirmedOpenZeppelin ECDSA.sol — tryRecover() explicitly checks signer==address(0) returns InvalidSignature; _throwError revertsretrieved 2026-05-17
- foundry.toml — OZ version pinned to 4.9.3foundry.toml — @openzeppelin-contracts = 4.9.3 confirmedretrieved 2026-05-17
Methodology #
Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.
See the full factor methodology and distribution across all protocols →