defirisk.co
rubric v1.7.0

Bridge validator co-hosting

A cross-chain & bridge factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether bridge validators share ASN (Autonomous System Number), data-centre operator, or cloud custodian — indicating that multiple validators could be taken offline or compromised by a single infrastructure event. Assessment combines bridge documentation with OSINT on validator operator infrastructure. This factor applies only to bridge-touching protocols; non-bridge protocols show this factor as N/A.

**Why it matters** Physical and infrastructure co-location transforms a nominally independent validator set into a correlated failure group. A 7-of-10 bridge with all validators hosted on the same AWS region effectively has a single infrastructure point of failure — a region outage or targeted attack against that provider can simultaneously compromise the quorum. The T-01 evidence base links co-hosting patterns to approximately 3 protocols in the hack database, including bridge incidents where signer-set compromise was facilitated by shared infrastructure. Harmony Bridge validators reportedly shared operational infrastructure that reduced the effective independence of its 2-of-5 threshold.

**Green / Yellow / Red** Green is scored when validators use diverse cloud providers, geographic regions, and independent node operators with documented independence. Yellow is scored when some validators share a cloud provider or region but no single provider controls a quorum. Red is scored when validators sharing a single provider or region constitute a quorum, or when all validators are operated by the same entity.

**Common gray cases** Gray is applied when validator infrastructure cannot be determined from public documentation and OSINT cannot confidently identify hosting relationships.

**Notable historical examples** No cross-hacked incidents are currently linked in the database for this factor.

Measurement what to look for #

Determine whether validators share ASN or data-center/custodian per on-chain and OSINT inference.

Data & output #

Data source
Validator address list (from F148) + Chainalysis/TRM infrastructure OSINT + ASN lookup
Output format
Green / Yellow / Red
Evidence artifact
Validator address list + ASN/custodian inference per validator + co-hosting flag
Confidence signal
green = validators demonstrably on independent infrastructure; yellow = partial evidence or insufficient data; red = majority of validators share ASN or custodian; gray = bridge not identified or validator set not public

Scored protocols 80 carry this factor #

Protocol RD-F-150
Aave v3 ethereum yellow Across Protocol ethereum green Aerodrome Finance base not_applicable Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum gray BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum not_assessed Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum gray ether.fi ethereum green Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum gray Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum gray Hyperliquid arbitrum yellow Jito solana gray Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc gray Lombard Finance ethereum yellow M^0 ethereum yellow Maple Finance ethereum yellow Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum gray Midas ethereum not_assessed Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc yellow Pendle Finance ethereum yellow Polymarket polygon not_applicable QuickSwap polygon not_applicable Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar gray Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum not_applicable Symbiotic ethereum not_applicable Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum gray Veda (BoringVault) ethereum gray Venus Protocol bsc not_applicable Wormhole ethereum gray Yearn Finance ethereum not_applicable
0 red · 14 yellow · 5 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-150 category 10 carried 80 critical no