ecrecover zero-address return unchecked

Lista DAO's assessment for RD-F-019 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

OZ 4.6.0 is in the affected range of GHSA-4h98-2769-gh6h (ECDSA signature malleability, HIGH severity, affected >=4.1.0 <4.7.3). hay.sol and LisUSD.sol implement EIP-712 permit signatures. If OZ ECDSA library is used for signature verification, the HIGH advisory may apply. Marked yellow as exploitability depends on whether signatures (vs nonces) are used as replay protection.

Sources #

GitHub
Lista DAO package.jsonpackage.json — @openzeppelin/contracts pinned at 4.6.0 (in affected range)retrieved 2026-05-12
GitHub
OZ ECDSA Signature Malleability Advisory HIGHGHSA-4h98-2769-gh6h — OZ ECDSA HIGH severity advisory, affected >=4.1.0 <4.7.3; Lista OZ pinned at 4.6.0retrieved 2026-05-12

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lista-dao factor RD-F-019 score yellow collected_at 2026-05-12 17:54:05