defirisk.co
rubric v1.7.0

Avg attacker reconnaissance time for peer-class protocols

Chainlink CCIP's assessment for RD-F-163 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Bridge-class protocol reconnaissance time from hack DB. Sophisticated nation-state actors targeting bridges (Ronin/Lazarus, Harmony Horizon, Kelp/LayerZero) exhibit reconnaissance periods of 30-90+ days. The KelpDAO/Lazarus case: attackers operated as node operators for 15+ months before the exploit. This ≥30 day average reconnaissance time indicates a sufficient warning window for well-instrumented CTI signals (F158, F090). CCIP's architecture (requiring compromise of both DON quorum AND RMN independently) would require even longer reconnaissance periods than single-layer bridges. Green: ≥30 days average reconnaissance for bridge class.

Sources #

  • URL
    Kelp says LayerZero approved setup it blamed for $292M bridge hackCoinDesk: Kelp LayerZero exploit — Lazarus operated as node operators for 15+ months before exploitretrieved 2026-05-16
  • Internal
    Chainlink CCIP profile — hack DB contextHack DB — bridge class reconnaissance patterns: Ronin, Harmony Horizon, Nomad; typical 30-90+ day reconnaissance for nation-state actorsretrieved 2026-05-16

Methodology #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol chainlink-ccip factor RD-F-163 score green collected_at 2026-05-16 01:55:09