★ Bridge ecrecover checks result ≠ address(0)

Wormhole's assessment for RD-F-151 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Bridge signature verification checks ecrecover ≠ address(0) | GREEN — EVM Core Bridge (Messages.sol): `require(signatory != address(0), "ecrecover failed with signature")` with explicit inline documentation. This check is present, correct, and directly addresses the RD-F-151 pattern. The 2022 Wormhole hack was a Solana sysvar account confusion exploit (deprecated `load_instruction_at`), NOT an EVM ecrecover zero-check failure. The Solana exploit was patched on 2022-02-03. Taxonomy labels this...

Sources #

Curator note
Extracted from 03-oracle-deps.md — RD-F-151; no URL citedretrieved 2026-04-28

Methodology #

Determine whether the bridge verifier code rejects `ecrecover` returns of `address(0)`.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol wormhole factor RD-F-151 score gray collected_at 2026-04-28 01:38:43