★ Default bytes32(0) acceptable as valid root

Lido's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Not applicable to Lido's bridge architecture. Wormhole uses consumed-VAA hash tracking (not Merkle roots). Native L2 bridges use CrossDomainMessenger state-root proofs managed by L2 chain. Nomad-class bytes32(0) root vulnerability requires a Merkle inbox pattern not present in Lido's bridges.

Detail #

Lido's canonical bridges: (1) Wormhole NTT — VAA hash consumed-mapping, no Merkle root inbox; (2) Axelar — PoS attestation; (3) CrossDomainMessenger — state-root proofs by chain infrastructure. The Nomad bug class (bytes32(0) = valid Merkle root) requires a specific Merkle-root-acceptance inbox pattern. Lido's bridges do not have this architecture.

Sources #

GitHub
https://github.com/wormhole-foundation/native-token-transfers/blob/main/evm/src/Transceiver/WormholeTransceiver/WormholeTransceiverState.solretrieved 2026-04-28

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lido factor RD-F-154 score green collected_at 2026-04-28 13:58:42