defirisk.co
rubric v1.7.0

Bridge binds message to srcChainId

Veda (BoringVault)'s assessment for RD-F-152 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

LayerZero v2 OApp passes Origin struct containing srcEid (source endpoint ID) to lzReceive(). The _lzReceive override checks idToChains[_origin.srcEid].allowMessagesFrom and reverts if false. Source chain binding is enforced by both the OApp contract and the underlying LZ v2 endpoint.

Sources #

  • GitHub
    LayerZeroTeller.sol _lzReceive sourceLayerZeroTeller.sol _lzReceive: Chain memory source = idToChains[_origin.srcEid]; if (!source.allowMessagesFrom) revert LayerZeroTeller__MessagesNotAllowedFrom(_origin.srcEid)retrieved 2026-05-17

Methodology #

Determine whether the bridge message struct includes `srcChainId` and the verifier enforces per-chain separation.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol veda factor RD-F-152 score green collected_at 2026-05-17 12:41:22