ecrecover zero-address return unchecked

crvUSD (Curve Stablecoin)'s assessment for RD-F-019 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

crvUSD core contracts (Controller, AMM, ControllerFactory, PegKeeper) do not use ecrecover — no signature-based operations in the CDP/LLAMMA logic. crvUSD ERC-20 token uses EIP-2612 permit which in Vyper is handled by the compiler's built-in ECDSA, not raw ecrecover with a zero-address check gap.

Sources #

GitHub
controller.vy — GitHubcontroller.vy source — no ecrecover usageretrieved 2026-05-16

Methodology #

Determine whether any `ecrecover` call result is used without a `!= address(0)` guard.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-019 score not_applicable collected_at 2026-05-16 19:09:40