defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Aave v3's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

a.DI does not use Merkle-root validation. The Nomad bug class (bytes32(0) accepted as valid root) requires a root-based inbox pattern. a.DI's confirmation-counting architecture has no Merkle root to initialize to zero. CCIP uses its own validation mechanism that also does not involve a Merkle root.

Sources #

  • GitHub
    aave-delivery-infrastructure GitHuba.DI architecture — confirmation-counting, no Merkle rootretrieved 2026-04-27
  • Internal
    T-10 Aave v3 F154 findingT-10 §2.3.2 Cat 10 F154 GREENretrieved 2026-04-27

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol aave-v3 factor RD-F-154 score green collected_at 2026-04-27 23:28:46