defirisk.co
rubric v1.7.0

Bridge signer-set change proposed/executed

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a bridge's validator or signer set has a change proposed or executed — including new signer additions, existing signer removals, threshold modifications, or key rotation events. The signal is generated by monitoring bridge contract events for signer-management function calls (addSigner, removeSigner, setThreshold, replaceOwner) against known bridge contract addresses. Category 6 context: signer-set changes on bridges are high-consequence events — a malicious signer addition can immediately enable fraudulent message signing, while a threshold reduction can enable single-point compromise.

**Why it matters** Bridge signer compromise is responsible for over $413M in losses in the database (Harmony Bridge $100M, Radiant Capital II $53M, plus related bridge incidents). Harmony Bridge operated with a 2-of-5 multisig where signer set composition was a critical security parameter. The Drift Protocol Security Council threshold reduction (3/5 to 2/5) six days before the $285M exploit is the clearest documented example of a signer-set change as a pre-exploit signal. RD-F-182 (Security-Council threshold reduction) is a specific variant of this broader signal class that applies to protocol Security Councils. Any unexpected bridge signer-set change warrants immediate elevated scrutiny.

**Green / Yellow / Red** Green is the baseline when no bridge signer-set changes have been proposed or executed in the trailing 30 days, or when a documented scheduled key rotation is underway with proper governance disclosure. Yellow fires when a signer addition or removal is executed following governance disclosure and within an expected rotation window. Red fires when a signer-set change — particularly a threshold reduction — is executed without prior governance disclosure, or when a new signer is added from an address with no prior verifiable identity association with the protocol.

**Common gray cases** Gray applies when the bridge does not emit standard signer-management events in a monitorable format (e.g., custom bridge architecture without event emission), or when the protocol uses an off-chain committee model for bridge validation with no on-chain signer representation.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether a bridge validator or signer-set change has been proposed or executed.

Data & output #

Data source
Bridge contract `ValidatorSetUpdated` / `SignerAdded` / `SignerRemoved` events via RPC subscription
Output format
Green / Yellow / Red
Evidence artifact
Event tx hash + event type + new signer set + timestamp
Confidence signal
green = signal not firing; red = signer-set change detected; gray = protocol has no bridge (N/A) or bridge events not monitored

Scored protocols 80 carry this factor #

Protocol RD-F-103
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base not_applicable Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum green Beefy Finance ethereum yellow BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance not_applicable Compound V3 (Comet) ethereum green Concrete ethereum not_applicable Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum not_applicable deBridge ethereum yellow Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum green ether.fi ethereum yellow Euler V2 ethereum gray Falcon Finance ethereum not_applicable Fluid ethereum yellow Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum green Hyperliquid arbitrum yellow Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc gray Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum not_applicable Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum gray Midas ethereum yellow Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum gray Ondo Finance ethereum gray OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc yellow Pendle Finance ethereum green Polymarket polygon not_applicable QuickSwap polygon not_applicable Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum green Spiko stellar not_applicable Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum not_applicable
0 red · 10 yellow · 21 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-103 category 6 carried 80 critical no