defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Usual (USD0 / bUSD0 / USUAL)'s assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

L1OFTAdapter (0xE14C486b93C3B62F76F88cf8FE4B36fb672f3B26) does NOT use ecrecover internally. Message authentication is entirely delegated to LayerZero Endpoint V2. The adapter performs peer validation via isPeer() checks (source chain + peer address binding) but no direct signature verification. Wormhole-class ecrecover-zero-return vulnerability is not present in the OFT adapter code path. Endpoint V2 itself (0x1a44076050125825900e736c501f859c50fe728c) is a hardened protocol layer that handles signature/DVN verification.

Sources #

  • Etherscan
    USD0 L1OFTAdapter — EtherscanL1OFTAdapter Etherscan code tab: no ecrecover in adapter; constructor uses endpoint 0x1a44076050125825900e736c501f859c50fe728c; peer validation via isPeer() from LayerZero OFT baseretrieved 2026-05-17
  • URL
    Blockaid — KelpDAO DVN AnalysisBlockaid KelpDAO analysis: attack exploited DVN off-chain infrastructure, not ecrecover in adapter — confirms ecrecover is not the OFT vulnerability classretrieved 2026-05-17

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usual factor RD-F-151 score green collected_at 2026-05-16 20:39:44