defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Axelar Network's assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Source-verified GREEN. Axelar's custom ECDSA.sol library implements explicit zero-address revert: if ((signer = ecrecover(hash, v, r, s)) == address(0)) revert InvalidSignature(). The _validateSignatures() function in AxelarAuthWeighted.sol calls ECDSA.recover() which provides this guard. Malformed signatures that recover to address(0) are explicitly rejected before comparison with operators. Wormhole-class ecrecover zero-address attack vector is structurally mitigated.

Sources #

  • GitHub
    AxelarAuthWeighted.sol signature validationAxelarAuthWeighted.sol _validateSignatures() — calls ECDSA.recover(messageHash, signatures[i]); signer matched against operators arrayretrieved 2026-05-17
  • GitHub
    Axelar custom ECDSA.sol — zero-address guardaxelar-cgp-solidity/contracts/ECDSA.sol — recover() function: if ((signer = ecrecover(hash, v, r, s)) == address(0)) revert InvalidSignature(); explicit zero-address revert confirmedretrieved 2026-05-17

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-151 score green collected_at 2026-05-16 21:57:49