ecrecover zero-address return unchecked

Hyperliquid's assessment for RD-F-019 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Signature.sol recoverSigner() function explicitly calls ecrecover(digest, sig.v, bytes32(sig.r), bytes32(sig.s)) and then checks require(signerRecovered != address(0), 'Invalid signature, recovered the zero address'). Zero-address guard is present.

Sources #

GitHub
Signature.sol raw sourceSignature.sol raw source — recoverSigner() with address(0) guardretrieved 2026-04-28

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperliquid factor RD-F-019 score green collected_at 2026-04-28 13:58:49