EIP-712 domain separator missing chainId

deBridge's assessment for RD-F-020 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

SignatureVerifier uses `SignatureUtil.getUnsignedMsg()` which produces `keccak256(abi.encodePacked("\x19Ethereum Signed Message:\n32", _submissionId))` — EIP-191 format, not EIP-712 structured data. No domain separator with chainId is used in the signing layer. However, the submissionId itself is constructed from `abi.encodePacked(SUBMISSION_PREFIX, debridgeId, getChainId(), chainIdTo, amount, receiver, nonce)` — chain information is embedded in the signed payload itself. Cross-chain replay i...

Sources #

GitHub
https://github.com/debridge-finance/debridge-contracts-v1/blob/main/contracts/transfers/DeBridgeGate.solretrieved 2026-04-28
GitHub
https://github.com/debridge-finance/debridge-contracts-v1/blob/main/contracts/libraries/SignatureUtil.solretrieved 2026-04-28

Methodology #

Determine whether the EIP-712 domain separator struct omits the `chainId` field, allowing cross-chain replay.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-020 score green collected_at 2026-04-28 01:27:58