defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Spiko's assessment for RD-F-151 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[STAR CRITICAL] TAXONOMY MISMATCH — Chainlink CCIP does NOT use ecrecover for message validation. CCIP uses DON Merkle root commitment + RMN blessing + Merkle proof verification in OffRamp. No direct ecrecover call chain exists. F151 (Wormhole-class ecrecover zero-address check) was designed for validator-signer bridges that verify individual ECDSA signatures; CCIP uses OCR3 threshold signatures + Merkle proofs. The critical pattern targeted by F151 is structurally absent from CCIP's architecture. Not_applicable (taxonomy mismatch, explicitly documented).

Sources #

  • GitHub
    CCIP OffRamp.sol — code-423n4 audit repositoryOffRamp.sol code-423n4/2024-11-chainlink — message validation via i_rmnRemote.verify() and Merkle proof against blessed root, not direct ecrecoverretrieved 2026-05-16
  • URL
    Llama Risk CCIP Explainerllamarisk.com/research/explainer-series-ccip — 'CCIP uses Merkle roots rather than ecrecover signatures for transaction validation'retrieved 2026-05-16

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol spiko factor RD-F-151 score not_applicable collected_at 2026-05-15 22:52:13