defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Usual (USD0 / bUSD0 / USUAL)'s assessment for RD-F-154 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

L1OFTAdapter does not implement a Merkle-root inbox. No root storage variable, no confirmAt, no acceptableRoot pattern. This is a LayerZero OFT using DVN/ULN verification, not a Merkle-proof-based bridge. The Nomad-class vulnerability (bytes32(0) as valid root) requires root-storage architecture that Usual's OFT does not have.

Sources #

  • Etherscan
    USD0 L1OFTAdapter — EtherscanL1OFTAdapter code review: no root storage, no confirmAt, no Merkle-inbox pattern; architecture is DVN-based not Merkle-root-basedretrieved 2026-05-17

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol usual factor RD-F-154 score not_applicable collected_at 2026-05-16 20:39:44