★ Default bytes32(0) acceptable as valid root
mETH Protocol's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL] Nomad zero-root bug requires bridge accepting Merkle roots directly. LayerZero OFT uses DVN-verified packet model — lzReceive validates DVN-attested payload hash, not raw Merkle root. No bytes32(0) or default-value root-acceptance path exists in L1cmETHAdapter. The EndpointV2 packet verification is hash-based on the payload content, not root-based.
Sources #
- EtherscanL1cmETHAdapter — no Merkle root acceptanceL1cmETHAdapter implementation 0xaE96dF024b9cb69a39a219d7176df6e7e39fac44 — OFTAdapterUpgradeable model; no Merkle root acceptance patternretrieved 2026-05-16
- LayerZero V2 DVN — no Merkle root patternLayerZero V2 DVN verification: payload hash verification model — not Merkle root based; Nomad pattern does not applyretrieved 2026-05-16
Methodology #
Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).
See the full factor methodology and distribution across all protocols →
rubric_version v1.7.0 protocol meth-protocol factor RD-F-154 score green collected_at 2026-05-16 02:17:50