defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Ondo Finance's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

**GREEN — Nomad-class zero-root vulnerability does not apply.** LayerZero v2 uses a payload-hash-per-message verification model, not a Merkle root inclusion model. DVNs verify the specific `payloadHash` of each message; there is no global "root" state that could default to bytes32(0). The exploit surface for Nomad ($190M, defaulting to accepting any message when root was uninitialized) does not exist in this architecture.

Sources #

  • Docs
    LayerZero v2 docs (DVN architecture, OFT spec)https://docs.layerzero.network/v2/retrieved 2026-05-12

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol ondo-finance factor RD-F-154 score green collected_at 2026-05-14 12:01:55