★ Default bytes32(0) acceptable as valid root

Beefy Finance's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL — GREEN] No Merkle root mechanism in XERC20Lockbox or LZ v1 adapter. XERC20Lockbox operates on direct ERC-20 deposits and xERC-20 minting — no root-based proof system. LZ v1 uses trustedRemoteLookup (bytes path comparison) for message source validation. The Nomad bytes32(0) default-root bug class is architecturally inapplicable: there is no Merkle root acceptance code path in either the lockbox or the LZ bridge adapter.

Sources #

Etherscan
LayerZero v1 adapter — no bytes32(0) root acceptanceLZ adapter 0xdddaec... — trustedRemoteLookup bytes path comparison; no Merkle root acceptance coderetrieved 2026-05-16
Etherscan
XERC20Lockbox — no Merkle root acceptanceXERC20Lockbox 0xc6e3d0CAF52E057Fb8950ae9d07aE67602919AcD — no Merkle root; deposit/withdraw mechanics onlyretrieved 2026-05-16
Docs
Beefy token bridge — validation by xERC-20 burn/mint, not Merkle rootToken bridge docs: 'burn the xERC-20 to validate the request' — lockbox mechanic, not Merkle proofretrieved 2026-05-16

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol beefy factor RD-F-154 score green collected_at 2026-05-16 13:10:30