★ Default bytes32(0) acceptable as valid root

Midas's assessment for RD-F-154 — scored not_assessed on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Not assessed for LayerZero OFT surface (OFT adapter address unknown; cannot inspect lzReceive implementation). For Axelar ITS: Axelar does not use a Merkle root acceptance pattern in the Nomad sense. Axelar's approveMessages() receives signed message batches from the validator set — there is no bytes32 root default-value vulnerability in this architecture. The F154 Nomad pattern (accepting bytes32(0) as valid root) is architecturally absent from Axelar ITS. For LayerZero V2: DVN attestation is also not root-based in the Nomad sense (DVNs attest to packet hashes, not Merkle roots). The Nomad-specific vulnerability class is less directly applicable to both LayerZero V2 and Axelar ITS architectures. Not_assessed conservatively for the full OFT adapter implementation — cannot confirm without source inspection.

Sources #

URL
Axelar ITS Documentation — approveMessagesAxelar ITS approveMessages() architecture: PoS validator-signed message batches — no Merkle root acceptance patternretrieved 2026-05-16
URL
LayerZero V2 DVN DocumentationLayerZero V2 DVN documentation: DVNs attest to packet hashes, not Merkle roots — different from Nomad patternretrieved 2026-05-16

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol midas factor RD-F-154 score not_assessed collected_at 2026-05-16 09:34:55