★ Bridge ecrecover checks result ≠ address(0)

ether.fi's assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL — green] LayerZero OFT application contracts (EtherfiOFTUpgradeable, EtherFiOFTAdapterUpgradeable) do not implement ecrecover at the application layer. Cryptographic message authentication is handled by LayerZero V2 endpoint DVN infrastructure, not application-layer signature checks. No ecrecover call found in inspected source. Wormhole-class zero-address ecrecover vulnerability not present.

Sources #

GitHub
EtherFiOFTAdapterUpgradeable.solEtherFiOFTAdapterUpgradeable.sol — no ecrecover; role-based access controlretrieved 2026-04-28
GitHub
EtherfiOFTUpgradeable.solEtherfiOFTUpgradeable.sol — no ecrecover; delegates to LayerZero endpointretrieved 2026-04-28

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ether-fi factor RD-F-151 score green collected_at 2026-04-28 13:58:46