LayerZero OFT DVN config (count, threshold, diversity)
Pendle Finance's assessment for RD-F-179 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
PENDLE OFT (LayerZero V2, July 2025): DVN configuration for Ethereum↔HyperEVM↔Berachain pathways not confirmed via direct on-chain read in this assessment. Post-KelpDAO ecosystem analysis (April 2026) explicitly names Pendle as second-highest at-risk asset by market cap (~$229M) among protocols with potentially vulnerable DVN configurations. 47% of LayerZero OApps used 1-of-1 DVN at time of analysis. LayerZero forced ecosystem migration post-KelpDAO. The legacy governance messaging path (PendleMsgSendEndpointUpg.sol) is LayerZero V1 — predates DVN model entirely, uses single oracle+relayer (no DVN). Yellow because specific OFT DVN configuration unconfirmed; ecosystem risk signal is strong but on-chain verification incomplete. CURATOR ACTION REQUIRED: run Blockaid DVN audit script against PENDLE OFT contracts on HyperEVM/Berachain — if 1-of-1 confirmed, upgrade to RED.
Sources #
- GitHubPendleMsgSendEndpointUpg.solPendleMsgSendEndpointUpg.sol — V1 no DVN, default oracle+relayerretrieved 2026-04-29
- LayerZero OFT/OApp DVN configuration audit scriptBlockaid DVN audit script for LayerZero OFTsretrieved 2026-04-29
- Dune Analytics: 47% LayerZero OApps Minimal DVN SecurityTheDefiant — 47% of LZ OApps use 1-of-1 DVNretrieved 2026-04-29
- DeFi Hack Analysis: Billions Exposed After Kelp DAO ExploitCrowdFund Insider — Pendle named as 2nd at-risk post-KelpDAOretrieved 2026-04-29
Methodology #
For any LayerZero OFT adapter, read the DVN configuration: count of DVNs, k-of-N threshold, and operator diversity (independent operators vs same-operator multi-DVN).
See the full factor methodology and distribution across all protocols →