defirisk.co
rubric v1.7.0

EIP-712 domain separator missing chainId

Wormhole's assessment for RD-F-020 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Wormhole's VAA-based verification does not use EIP-712 for cross-chain messages — it uses its own custom VAA struct with Guardian signatures via `ecrecover`. The implementation binds messages to `srcChainId` via the `emitterChainId` field in the VAA struct. Chain replay protection is achieved through the Wormhole chain ID scheme, not EIP-712 domain separators. N/A for the core bridge (no EIP-712 in critical path); any EIP-712 usage in NTT/MultiGov peripheral contracts would require separate a...

Sources #

  • Curator note
    Extracted from 01-code-security.md — RD-F-020 finding; no URL cited in originalretrieved 2026-04-28

Methodology #

Determine whether the EIP-712 domain separator struct omits the `chainId` field, allowing cross-chain replay.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-020 score not_applicable collected_at 2026-04-28 01:38:43