ecrecover zero-address return unchecked

Chainlink CCIP's assessment for RD-F-019 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MultiOCR3Base.sol calls ecrecover() and does NOT explicitly check the return value against address(0). Instead, it relies on implicit protection: address(0) cannot have oracle.role == Role.Signer because the role is never assigned to address(0). The comment at line 324 confirms this design. ManyChainMultiSig uses OZ ECDSA.recover() which internally validates against signature malleability. Implicit protection is architecturally sound but does not meet the explicit != address(0) check standard required for green.

Sources #

GitHub
MultiOCR3Base.sol — ecrecover implicit zero-address protectionMultiOCR3Base.sol line 322/326 — ecrecover without explicit address(0) checkretrieved 2026-05-16
GitHub
ManyChainMultiSig.sol — ECDSA.recover() used for signature verificationManyChainMultiSig.sol — uses ECDSA.recover() from OZ (safe)retrieved 2026-05-16

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-019 score yellow collected_at 2026-05-16 01:55:09