defirisk.co
rubric v1.7.0

Bridge binds message to srcChainId

A cross-chain & bridge factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor checks whether the bridge message struct includes a `srcChainId` field and whether the verifier enforces chain-of-origin separation when validating messages. Without this, a valid message signed for chain A can be replayed on chain B if the signer set is shared. Static analysis of the bridge verifier and message struct is the assessment method. This factor applies only to bridge-touching protocols; non-bridge protocols show this factor as N/A.

**Why it matters** Cross-chain replay attacks exploit the absence of per-chain message binding: an attacker who captures a valid signed message from one chain can replay it on a different chain where the same validator set is trusted. This is particularly relevant for bridges that operate across many chains with a shared guardian set — a signed message to release tokens on Ethereum could be replayed to release tokens on BSC, BNB Chain, or Avalanche if chain binding is absent. The T-01 evidence base links cross-chain replay patterns to approximately 2 protocols in the hack database. Chain binding is a minimum security requirement for any multi-chain bridge architecture.

**Green / Yellow / Red** Green is scored when the message struct includes `srcChainId` (or equivalent), the verifier enforces it, and per-chain nonce or root state prevents cross-chain replay. Yellow is scored when chain binding exists in the struct but is not verified in all execution paths, or when chain binding is present only for some bridge functions. Red is scored when no chain binding exists in the message struct or verification logic.

**Common gray cases** Gray is applied when the bridge uses a proprietary message encoding that cannot be decoded without the closed-source ABI.

**Notable historical examples** No cross-hacked incidents are currently linked in the database for this factor.

Measurement what to look for #

Determine whether the bridge message struct includes `srcChainId` and the verifier enforces per-chain separation.

Data & output #

Data source
Source inspection of bridge message struct and verifier logic on Etherscan-verified source
Output format
Green / Yellow / Red
Evidence artifact
Message struct definition source excerpt + chainId binding check
Confidence signal
green = srcChainId present and enforced; red = srcChainId absent or not enforced; gray = bridge source unverified

Scored protocols 80 carry this factor #

Protocol RD-F-152
Aave v3 ethereum green Across Protocol ethereum green Aerodrome Finance base not_applicable Axelar Network ethereum green Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum not_applicable Beefy Finance ethereum green BENQI avalanche not_applicable BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum green Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance green Compound V3 (Comet) ethereum green Concrete ethereum green Convex Finance ethereum not_applicable crvUSD (Curve Stablecoin) ethereum not_applicable Curve Finance ethereum green deBridge ethereum green Dolomite ethereum green dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum not_applicable Ethena ethereum green ether.fi ethereum green Euler V2 ethereum not_applicable Falcon Finance ethereum not_applicable Fluid ethereum green Frax Finance ethereum green GMX v2 (GMX Synthetics) arbitrum not_applicable Hyperlane ethereum green Hyperliquid arbitrum green Jito solana green Jupiter solana not_applicable Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana not_applicable Kinetiq hyperliquid not_applicable Lido ethereum green Liquid Collective (LsETH) ethereum not_applicable Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum green Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum green Midas ethereum green Morpho V1 (Morpho Blue + MetaMorpho) ethereum not_applicable Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum not_applicable Orca solana not_applicable PancakeSwap bsc green Pendle Finance ethereum green Polymarket polygon not_applicable QuickSwap polygon not_applicable Raydium solana not_applicable Rocket Pool ethereum not_applicable Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum green Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum not_applicable StakeWise v3 ethereum not_applicable Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid not_applicable SUNSwap (sun.io) tron not_applicable Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum not_applicable Symbiotic ethereum not_applicable Synapse Protocol ethereum yellow Uniswap (v2 + v3) ethereum not_applicable USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum green Venus Protocol bsc green Wormhole ethereum gray Yearn Finance ethereum not_applicable
0 red · 1 yellow · 37 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-152 category 10 carried 80 critical no