defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Circle USYC's assessment for RD-F-154 — scored not_applicable on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Taxonomy mismatch: CCTP does not use Merkle roots for message validation. No bytes32 root acceptance pattern exists in CrossChainTeller source. Nomad-class vulnerability ($190M) requires a Merkle-root-based validation scheme which CCTP does not use. CrossChainTeller uses Circle CCTP message+attestation pairs. Not_applicable.

Sources #

  • Etherscan
    CrossChainTeller Ethereum - EtherscanCrossChainTeller Ethereum at 0x5dbeCcECEbCdC2ce3258f6E638373d2923560c7d - CCTP attestation model; no Merkle root struct or bytes32 root acceptanceretrieved 2026-05-16
  • Etherscan
    CrossChainTeller BSC - BSCScanCrossChainTeller BSC at 0xf38979E05650be7926EA07BB59C48Fb9b1DB3D08 - CCTP model confirmed; no Merkle root validationretrieved 2026-05-16

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol circle-usyc factor RD-F-154 score not_applicable collected_at 2026-05-15 21:56:43