Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/unexpected-ecrecover-null-address

Name: unexpected-ecrecover-null-address
Author: apegurus

skills/vulnerability-patterns/unexpected-ecrecover-null-address/SKILL.md

- Contract uses `ecrecover` directly (not via OpenZeppelin's ECDSA library)

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus unexpected-ecrecover-null-address

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:31 AM144.2s1 file scanned

SKILL.md

name:: unexpected-ecrecover-null-address
description:: Raw ecrecover call that requires explicit address(0) handling
pattern_category:: signature
- regex:: ecrecover$[^\n]*$
severity:: Medium
confidence:: Medium
swc:: SWC-117

Unexpected ecrecover Null Address

Preconditions

Contract uses ecrecover directly (not via OpenZeppelin's ECDSA library)
The recovered address is not checked against address(0)
The expected signer variable could be uninitialized (defaults to address(0))

Vulnerable Pattern

contract Vault {
    address public signer; // Uninitialized — defaults to address(0)

    function withdrawWithSig(uint256 amount, uint8 v, bytes32 r, bytes32 s) external {
        bytes32 hash = keccak256(abi.encodePacked(msg.sender, amount));

        // ecrecover returns address(0) for invalid signatures
        // (e.g., v != 27 && v != 28)
        address recovered = ecrecover(hash, v, r, s);

        // If signer is uninitialized (address(0)) and recovered is address(0),
        // this check passes — anyone can withdraw
        require(recovered == signer, "invalid signature");

        _withdraw(msg.sender, amount);
    }
}

Detection Heuristics

Search for ecrecover( calls in the codebase
Check if the returned address is validated against address(0) — flag if not
Check the variable that the recovered address is compared against — can it ever be address(0)? (uninitialized, never set, cleared by admin)
Check if OpenZeppelin's ECDSA.recover is used instead — it reverts on null recovery automatically
In upgradeable contracts, check if the signer is set during initialize() — if initialize is never called, signer remains address(0)

False Positives

require(recovered != address(0)) check is present after ecrecover
OpenZeppelin's ECDSA.recover is used (handles null address internally)
The expected signer is set in the constructor or initializer and can never be address(0) (validated on set)

Remediation

Always check require(recovered != address(0), "invalid signature") after ecrecover
Use OpenZeppelin's ECDSA.recover which reverts on invalid signatures and null recovery
Validate that signer variables cannot be address(0) at any point

import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";

function withdrawWithSig(uint256 amount, bytes memory sig) external {
    bytes32 hash = keccak256(abi.encodePacked(msg.sender, amount));
    bytes32 ethHash = ECDSA.toEthSignedMessageHash(hash);
    address recovered = ECDSA.recover(ethHash, sig); // Reverts if address(0)
    require(recovered == signer, "invalid signature");
    _withdraw(msg.sender, amount);
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/unexpected-ecrecover-null-address ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

apegurus/unexpected-ecrecover-null-address

skills/vulnerability-patterns/unexpected-ecrecover-null-address/SKILL.md

- Contract uses `ecrecover` directly (not via OpenZeppelin's ECDSA library)

development

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus unexpected-ecrecover-null-address

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:31 AM144.2s1 file scanned

SKILL.md

name:: unexpected-ecrecover-null-address
description:: Raw ecrecover call that requires explicit address(0) handling
pattern_category:: signature
- regex:: ecrecover$[^\n]*$
severity:: Medium
confidence:: Medium
swc:: SWC-117

Unexpected ecrecover Null Address

Preconditions

Contract uses ecrecover directly (not via OpenZeppelin's ECDSA library)
The recovered address is not checked against address(0)
The expected signer variable could be uninitialized (defaults to address(0))

Vulnerable Pattern

contract Vault {
    address public signer; // Uninitialized — defaults to address(0)

    function withdrawWithSig(uint256 amount, uint8 v, bytes32 r, bytes32 s) external {
        bytes32 hash = keccak256(abi.encodePacked(msg.sender, amount));

        // ecrecover returns address(0) for invalid signatures
        // (e.g., v != 27 && v != 28)
        address recovered = ecrecover(hash, v, r, s);

        // If signer is uninitialized (address(0)) and recovered is address(0),
        // this check passes — anyone can withdraw
        require(recovered == signer, "invalid signature");

        _withdraw(msg.sender, amount);
    }
}

Detection Heuristics

Search for ecrecover( calls in the codebase
Check if the returned address is validated against address(0) — flag if not
Check the variable that the recovered address is compared against — can it ever be address(0)? (uninitialized, never set, cleared by admin)
Check if OpenZeppelin's ECDSA.recover is used instead — it reverts on null recovery automatically
In upgradeable contracts, check if the signer is set during initialize() — if initialize is never called, signer remains address(0)

False Positives

require(recovered != address(0)) check is present after ecrecover
OpenZeppelin's ECDSA.recover is used (handles null address internally)
The expected signer is set in the constructor or initializer and can never be address(0) (validated on set)

Remediation

Always check require(recovered != address(0), "invalid signature") after ecrecover
Use OpenZeppelin's ECDSA.recover which reverts on invalid signatures and null recovery
Validate that signer variables cannot be address(0) at any point

import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";

function withdrawWithSig(uint256 amount, bytes memory sig) external {
    bytes32 hash = keccak256(abi.encodePacked(msg.sender, amount));
    bytes32 ethHash = ECDSA.toEthSignedMessageHash(hash);
    address recovered = ECDSA.recover(ethHash, sig); // Reverts if address(0)
    require(recovered == signer, "invalid signature");
    _withdraw(msg.sender, amount);
}

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/unexpected-ecrecover-null-address ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT