★ Default bytes32(0) acceptable as valid root

Concrete's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] GREEN. LayerZero v2 OAppCore._getPeerOrRevert() explicitly reverts with NoPeer(_eid) if peers[_eid] == bytes32(0). The default (zero) value for an unregistered peer causes a revert, not message acceptance. This is the structural inverse of the Nomad bug ($190M, bytes32(0) accepted as valid root): in LZ v2, zero = NoPeer revert. Furthermore, allowInitializePath() returns `peers[origin.srcEid] == origin.sender` — a zero peer would not match any real sender address. No bytes32(0)-as-valid-root path exists in the LZ v2 OApp standard as used by ShareDistributor.

Sources #

GitHub
LayerZero v2 OAppCore.sol — _getPeerOrRevert() bytes32(0) revert confirmedLayerZero-Labs/LayerZero-v2 OAppCore.sol — _getPeerOrRevert(): 'bytes32 peer = peers[_eid]; if (peer == bytes32(0)) revert NoPeer(_eid); return peer;' — zero peer causes revert not acceptanceretrieved 2026-05-17

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-154 score green collected_at 2026-05-17 14:36:59