defirisk.co
rubric v1.7.0

Bridge ecrecover checks result ≠ address(0)

Veda (BoringVault)'s assessment for RD-F-151 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] NOT triggered. LayerZeroTeller uses LayerZero v2 DVN-based attestation via EndpointV2. No ecrecover call in this teller. The OApp inherits OAppReceiver.lzReceive() which validates origin.sender via _getPeerOrRevert() before calling _lzReceive. The Wormhole-class vulnerability (unchecked ecrecover return → address(0)) is not present in this architecture.

Sources #

  • GitHub
    LayerZeroTeller.sol sourceLayerZeroTeller.sol — no ecrecover; imports OAppAuth from @oapp-auth/OAppAuth.sol; _lzReceive checks idToChains[_origin.srcEid].allowMessagesFromretrieved 2026-05-17
  • GitHub
    OAppCore.sol — peer validationOAppCore._getPeerOrRevert — if (peer == bytes32(0)) revert NoPeer(_eid)retrieved 2026-05-17

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-151 score green collected_at 2026-05-17 12:41:22