defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Stargate Finance's assessment for RD-F-154 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Default-value (bytes32(0)) acceptable as valid bridge root | NOT TRIGGERED. LayerZero v2 does not use Merkle roots for verification. It uses keccak256 payloadHash commitments. Each DVN independently computes and stores a non-default payloadHash. There is no initialization pattern where bytes32(0) is a valid root. The Nomad $190M bug required a single Merkle root to be initialized as bytes32(0) and accepted as valid proof for any message — this attack surface does not exist in LayerZero v2's h...

Sources #

  • Curator note
    Extracted from 03-oracle-deps.md — RD-F-154; no URL citedretrieved 2026-04-28

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stargate factor RD-F-154 score gray collected_at 2026-04-28 01:38:41