★ Bridge ecrecover checks result ≠ address(0)

deBridge's assessment for RD-F-151 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

ANTI-PATTERN PRESENT: SignatureVerifier.sol (0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4, Solidity v0.8.7) recovers oracle = ecrecover(...) then checks getOracleInfo[oracle].isValid WITHOUT explicit require(oracle != address(0)). Implicit protection relies on storage default (address(0) not in oracle set). Wormhole-class anti-pattern confirmed. Contrast: DeBridgeToken.sol in same repo DOES have explicit require(recoveredAddress != address(0)) -- inconsistency. Rated yellow not red: no evidence address(0) is registered as valid oracle. CURATOR MUST VERIFY on-chain getOracleInfo[address(0)].isValid at SignatureVerifier address. If true, escalate to RED CRITICAL.

Sources #

Etherscan
https://etherscan.io/address/0xfE7De3c1e1BD252C67667B56347cABFC6df08dF4retrieved 2026-04-28
GitHub
https://github.com/debridge-finance/debridge-contracts-v1/blob/main/contracts/transfers/DeBridgeGate.solretrieved 2026-04-28

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol debridge factor RD-F-151 score yellow collected_at 2026-04-28 01:27:58