★ Bridge ecrecover checks result ≠ address(0)

Maple Finance's assessment for RD-F-151 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MapleCCIPReceiver does not use ecrecover — relies on CCIP Router as trusted authority. SyrupOftAdapter delegates to LayerZero endpoint. Zero-address ecrecover vulnerability pattern (Wormhole class) is not applicable at application layer. Security depends on upstream router/endpoint trust. [â˜… CRITICAL — NOT RED]

Detail #

MapleCCIPReceiver (0x23CEF2965Db19f67A996371F9Cb1A2F33D2b4821) ccipReceive() function accepts messages only from official CCIP Router via CCIPDefensiveReceiverOnlyCCIPRouter pattern. No contract-level ecrecover. SyrupOftAdapter (0x08881C46f82325ce2e403097be40066fa8c326b2) delegates signature verification to LayerZero EndpointV2. Wormhole-class zero-address ecrecover bug is architecturally inapplicable to both designs. Yellow (not green) because the security model relies entirely on upstream provider trustworthiness which is partially gray.

Sources #

Etherscan
Maple CCIP Receiver implementation — ccipReceiveMapleCCIPReceiver impl 0x23CEF2965Db19f67A996371F9Cb1A2F33D2b4821 — ccipReceive functionretrieved 2026-04-27
Etherscan
SyrupOftAdapter implementationSyrupOftAdapter impl 0x08881C46f82325ce2e403097be40066fa8c326b2retrieved 2026-04-27

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol maple-finance factor RD-F-151 score yellow collected_at 2026-04-27 05:38:08