diff --git a/tuf/ngclient/_internal/metadata_bundle.py b/tuf/ngclient/_internal/metadata_bundle.py
index e0aea551e0..b4ffeb12b7 100644
--- a/tuf/ngclient/_internal/metadata_bundle.py
+++ b/tuf/ngclient/_internal/metadata_bundle.py
@@ -243,6 +243,11 @@ def root_update_finished(self):
         if self.root.signed.is_expired(self.reference_time):
             raise exceptions.ExpiredMetadataError("New root.json is expired")
 
+        # No need to recover from fast-forward attack here since
+        # timestamp and snapshot are not loaded at this point and
+        # when loaded later will be verified with the new rotated
+        # keys.
+
         self._root_update_finished = True
         logger.debug("Verified final root.json")