★ Bridge ecrecover checks result ≠ address(0)
Lista DAO's assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
LayerZero V2 OFT architecture does not use raw ecrecover in the OFT or OFTAdapter contracts. Verification is handled at the LayerZero EndpointV2 / DVN layer using MessageLib abstraction. ListaOFT and ListaOFTAdapter source-verified on both chains — no custom signature verification logic found. Wormhole-class ecrecover vulnerability pattern does not apply to LZ V2 OFT design.
Sources #
- EtherscanListaOFT Ethereum source — no ecrecoveretherscan.io/address/0x44388Ef3bc730BDE8670a3b4831281dd7E89C584 — ListaOFT source verified; no custom ecrecoverretrieved 2026-05-12
- ListaOFTAdapter BSC source — no ecrecoverbscscan.com/address/0x82f5bcD1473BDa5794239D01073797093a413f02 — ListaOFTAdapter source verified; no custom ecrecoverretrieved 2026-05-12
Methodology #
Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol lista-dao factor RD-F-151 score green collected_at 2026-05-12 17:54:05