Bridge validator threshold (k-of-M)

Cap (cUSD / stcUSD)'s assessment for RD-F-149 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

LayerZero v2 DVN threshold (requiredDVNCount) not confirmed on-chain. CheckOFTConfig.s.sol reads threshold dynamically from ep.getConfig() without asserting a minimum. Curator must call ep.getConfig(sendLibAddress, 0xA62571EbdFfAbC3051a2e5B9e1f57b23D830c8Fd, 30398, CONFIG_TYPE_ULN) on Ethereum EndpointV2 to confirm requiredDVNCount >= 2. If requiredDVNCount == 1, this upgrades to red (Kelp DAO $292M class). Post-Kelp (April 2026), LayerZero mandated multi-DVN configs; not confirmed for Cap.

Sources #

GitHub
CheckOFTConfig.s.sol — DVN threshold not hardcodedCheckOFTConfig.s.sol: UlnConfig struct has requiredDVNCount field but value read dynamically, not hardcoded minimum; ConfigureOApp.s.sol references sendUln302/receiveUln302 but no threshold assertionretrieved 2026-05-17
URL
Kelp DAO LayerZero 1-of-1 DVN exploit contextKelp DAO $292M exploit (April 2026): 1-of-1 DVN configuration — single DVN attestation sufficient to release real rsETH on Ethereumretrieved 2026-05-17

Methodology #

Read the signature threshold required to approve a cross-chain message (for non-LZ bridges).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol cap factor RD-F-149 score yellow collected_at 2026-05-17 10:56:24