★ Default bytes32(0) acceptable as valid root

Compound V3 (Comet)'s assessment for RD-F-154 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL — GREEN] BridgeReceiver contracts do NOT validate Merkle roots. The Nomad bug pattern (bytes32(0) as valid root) is structurally absent — no root variable exists in the validation path.

Detail #

The Nomad bug class applies to bridges that explicitly accept and validate Merkle roots where an uninitialized root (bytes32(0)) is treated as valid. Compound's BridgeReceiver architecture does not handle Merkle roots at all — proof validation is delegated to canonical L2 bridge infrastructure. BridgeReceiver only checks message source identity. The structural precondition for this attack class is absent.

Sources #

Audit
OpenZeppelin Bridge Receiver AuditOpenZeppelin Compound Polygon Bridge Receiver Audit — no root validationretrieved 2026-04-27
GitHub
Compound BaseBridgeReceiver — message validationBaseBridgeReceiver.sol — no Merkle root logicretrieved 2026-04-27

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol compound-v3 factor RD-F-154 score green collected_at 2026-04-28 00:20:50