★ Default bytes32(0) acceptable as valid root

Jito's assessment for RD-F-154 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] NOT_APPLICABLE — architecture-specific exclusion. Wormhole uses ECDSA guardian signature quorum (13-of-19), not Merkle root acceptance. The Nomad $190M bug class (bytes32(0) as default-accepted Merkle root) does not apply to Wormhole's signature-based VAA architecture. F154 ★: not_applicable (not a pass/fail — this vulnerability class is architecturally absent).

Sources #

URL
Wormhole Security — VAA signature verificationWormhole security docs: 'smart contract on the target chain will verify the signatures and format of the message' — signature-based, not Merkle-root-basedretrieved 2026-04-29
GitHub
StakePoolRate.sol — signature-based verificationStakePoolRate.sol calls parseAndVerifyQueryResponse() with guardian signatures — no Merkle root acceptanceretrieved 2026-04-29

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol jito factor RD-F-154 score not_applicable collected_at 2026-04-29 15:50:23