★ Bridge ecrecover checks result ≠ address(0)

mETH Protocol's assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] LayerZero OFTAdapterUpgradeable does not use raw ecrecover for message verification. DVN verification occurs in LayerZero Endpoint V2 layer via payload hash verification, not ECDSA signature checks in the OFT adapter. The Wormhole-class ecrecover zero-address bug is not applicable to this bridge architecture. L1cmETHAdapter inherits OFTAdapterUpgradeable from lib/lz-upgradable — no ecrecover calls in the OFT receive path.

Sources #

URL
LayerZero V2 DVN configuration — verification modelLayerZero EndpointV2 DVN-based verification model — payload hash verification, not ECDSA ecrecover patternretrieved 2026-05-16
Etherscan
L1cmETHAdapter implementation — OFTAdapterUpgradeableL1cmETHAdapter implementation 0xaE96dF024b9cb69a39a219d7176df6e7e39fac44 — inherits OFTAdapterUpgradeable; no ecrecover in OFT receive pathretrieved 2026-05-16

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol meth-protocol factor RD-F-151 score green collected_at 2026-05-16 02:17:50