defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Spiko's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[STAR CRITICAL] CCIP OffRamp.sol explicitly guards against zero-root acceptance: 'if (merkleRoot == bytes32(0)) revert InvalidRoot();' — the Nomad class vulnerability (default zero value accepted as valid root) is explicitly mitigated in CCIP's implementation. Score: green.

Sources #

  • URL
    Llama Risk CCIP Explainerllamarisk.com/research/explainer-series-ccip — confirms Merkle root commit/bless architecture; RMN independently reconstructs Merkle trees to verify rootsretrieved 2026-05-16
  • GitHub
    CCIP OffRamp.sol — code-423n4 audit repositoryOffRamp.sol _commitRoot function: 'if (merkleRoot == bytes32(0)) revert InvalidRoot();' — explicit zero-root rejectionretrieved 2026-05-16

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol spiko factor RD-F-154 score green collected_at 2026-05-15 22:52:13