★ Default bytes32(0) acceptable as valid root
Axelar Network's assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL] Source-verified GREEN. In AxelarAuthWeighted.validateProof(): if (operatorsEpoch == 0 || epoch - operatorsEpoch >= OLD_KEY_RETENTION) revert InvalidOperators(). A bytes32(0) operatorsHash would produce epochForHash[bytes32(0)] == 0 (default mapping value) triggering this revert. Additionally, _transferOperatorship() prevents zero-operator sets (operatorsLength == 0 reverts with InvalidOperators) and prevents duplicate hashes. Nomad-class default-value root acceptance is structurally blocked.
Sources #
- GitHubAxelarAuthWeighted.sol validateProof — zero-epoch guardAxelarAuthWeighted.sol validateProof() line ~51: if (operatorsEpoch == 0 || epoch - operatorsEpoch >= OLD_KEY_RETENTION) revert InvalidOperators(); prevents bytes32(0) hash acceptanceretrieved 2026-05-17
- AxelarAuthWeighted.sol _transferOperatorship — empty operator preventionAxelarAuthWeighted.sol _transferOperatorship() — if (operatorsLength == 0 || !_isSortedAscAndContainsNoDuplicate(newOperators)) revert InvalidOperators(); prevents zero or empty operator set registrationretrieved 2026-05-17
Methodology #
Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).
See the full factor methodology and distribution across all protocols →