ecrecover zero-address return unchecked
USDD (Decentralized USD)'s assessment for RD-F-019 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Ethereum ERC-20 uses EIP-2612 permit() which calls ecrecover. Cannot confirm address(0) guard without tool run. Contract is ChainSecurity-audited (multiple rounds) which reduces risk; standard permit implementations of this era do check for address(0). Yellow: permit path uses ecrecover; audit coverage provides partial assurance but cannot confirm guard without tool run. TRON TVM: EVM-specific pattern not applicable.
Sources #
- EtherscanUsdd Stablecoin source - EtherscanUSDD Ethereum ERC-20 source - permit() function using EIP-2612 / ecrecoverretrieved 2026-05-17
- ChainSecurity USDD auditChainSecurity audit coverage provides partial assurance on permit implementationretrieved 2026-05-17
Methodology #
Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol usdd factor RD-F-019 score yellow collected_at 2026-05-17 11:34:18