defirisk.co
rubric v1.7.0

Default bytes32(0) acceptable as valid root

Frax Finance's assessment for RD-F-154 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ bridge] FraxFerry uses transaction-hash batch validation — not a Merkle root acceptance model. The Nomad-class bytes32(0) zero-root acceptance pattern is structurally not applicable (no Merkle root). Fraxtal OP Stack dispute game uses Merkle roots for state transitions; standard OP Stack implementation explicitly rejects zero roots in the dispute game resolution logic. LayerZero OFT uses DVN message packet hashes, not Merkle roots. No zero-root acceptance path identified across any of the three bridge surfaces. Yellow rather than green because Fraxtal has no active fraud proof system (state roots submitted by single whitelisted proposer with no challenge mechanism actually working per L2BEAT), which means even a correctly-rejecting zero-root check provides limited protection when the entire state-root validation is centralized.

Sources #

  • URL
    L2BEAT FraxtalL2BEAT Fraxtal — 'the proof system isn't fully functional'; fraud proof 'currently under development'; whitelisted single proposer for state rootsretrieved 2026-05-17
  • Docs
    Frax FraxFerry Bridge DocsFraxFerry docs — batch-hash model (no Merkle root), structurally excludes zero-root Nomad patternretrieved 2026-05-17

Methodology #

Determine whether the bridge inbox accepts a default-value (bytes32(0)) Merkle root as a valid proof root (Nomad bug class).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol frax factor RD-F-154 score yellow collected_at 2026-05-16 20:44:31