Bridge validator threshold (k-of-M)

Concrete's assessment for RD-F-149 — scored gray on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

DVN threshold (k-of-N) for Concrete's OApp pathways not retrievable — same blocker as F148. The catastrophic edge case of 1/1 DVN threshold (Kelp DAO $292M Apr 2026 class) cannot be ruled out without on-chain endpoint config query. This is the primary unresolved risk for Cat 10: if threshold = 1, a single compromised DVN operator could forge share-claim messages to ShareDistributor. ~$120M exposure. See F179 for the LZ-specific escalation condition.

Sources #

GitHub
PredepostVaultOApp.sol — DVN threshold not present in sourcesrc/periphery/predeposit/PredepostVaultOApp.sol — no threshold config in sourceretrieved 2026-05-17

Methodology #

Read the signature threshold required to approve a cross-chain message (for non-LZ bridges).

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol concrete factor RD-F-149 score gray collected_at 2026-05-17 14:36:59