ecrecover zero-address return unchecked

Centrifuge's assessment for RD-F-019 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

SignatureLib.isValidSignature() guards against address(0) via require(signer != address(0), InvalidSigner()) before ecrecover is called. ERC20.sol permit function delegates to SignatureLib. No other ecrecover usage found. Code4rena 2023 flagged domain-separator caching (separate issue, resolved); no ecrecover zero-return finding in any audit.

Sources #

GitHub
ERC20.sol permit — SignatureLib.isValidSignature() delegationcentrifuge/protocol misc/ERC20.sol — permit function delegates to SignatureLibretrieved 2026-04-28
Audit
https://code4rena.com/reports/2023-09-centrifugeretrieved 2026-04-28
GitHub
SignatureLib.sol — ecrecover with pre-validated non-zero signercentrifuge/protocol misc/libraries/SignatureLib.sol — require(signer != address(0)) before ecrecoverretrieved 2026-04-28

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol centrifuge factor RD-F-019 score green collected_at 2026-04-30 21:19:10