defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Jito's assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] GREEN. Wormhole Messages.sol verifySignatures() explicitly checks: require(signatory != address(0), 'ecrecover failed with signature'). Code comment: 'ecrecover returns 0 for invalid signatures. We explicitly require valid signatures to avoid unexpected behaviour due to the default storage slot value also being 0.' This check was added post the Feb 2022 Wormhole exploit. F151 ★: GREEN.

Sources #

  • GitHub
    Wormhole Messages.sol — ecrecover address(0) checkgithub.com/wormhole-foundation/wormhole/blob/main/ethereum/contracts/Messages.sol lines 158-160: address signatory = ecrecover(hash, sig.v, sig.r, sig.s); require(signatory != address(0), 'ecrecover failed with signature')retrieved 2026-04-29

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jito factor RD-F-151 score green collected_at 2026-04-29 15:50:23