defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Veda (BoringVault)'s assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] NOT triggered. LayerZero v2 OApp does not use a Merkle root acceptance model. The analogous zero-default risk (bytes32(0) as valid peer) is explicitly guarded: OAppCore._getPeerOrRevert() reverts when peer == bytes32(0). The Nomad-class vulnerability ($190M, default root accepted) is not present in this architecture.

Sources #

  • GitHub
    LayerZeroTeller.sol sourceLayerZeroTeller.sol — uses OAppAuth inheritance which provides OAppCore._getPeerOrRevertretrieved 2026-05-17
  • GitHub
    OAppCore.sol peer validationOAppCore._getPeerOrRevert — 'if (peer == bytes32(0)) revert NoPeer(_eid)' — explicit zero-peer revertretrieved 2026-05-17

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-154 score green collected_at 2026-05-17 12:41:22