BlackHartBlackHart
Scores/LayerZero

LayerZero

TEMPERED

Cross-Chain Messaging · Multi-chain · N/A (infra) TVL · 15 contracts

Confidence 73%Z-Factor 0.78Updated 2026-05-06Cross-chain assessedPublic Score

Public risk assessment — scores are produced with the same methodology as monitored protocols

749
BRI Score
3004756508251000

Security Profile

Access Ctrl
70
Economic
65
Oracle
60
Compos.
52
Govern.
55
Maturity
82
Resilience
64
Supply Ch.
72
X-Chain
55
OpSec
75
Cascade
84
Min
52
Avg
67
Max
84

Audit History

Zellic
2023-05
Quantstamp
2022-11
Trail of Bits
2024-02

Bug Bounty Program

$15,000,000
Max payout on Immunefi
View Program →

Assessment

Mature cross-chain messaging protocol with strong operational history but extreme compositional risk (D4=52, 100+ dependent protocols) and cross-chain trust assumptions (D10=55, DVN honesty model). Any LZ core bug cascades to entire ecosystem. Governance centralization (D5=55) and DVN trust model drag score down from DAMASCUS. Good maturity (D6=82) and adversarial resilience (all findings FP) prevent drop to FORGED.

Dimension Breakdown

How scores work →
Access Control
Weight 20%76% conf
70
Good
  • 93 access control checks across 511 total checks (18.2% density)
  • Complex cross-chain authorization model with endpoint-library separation
  • onlyOwner (12 instances), onlyEndpoint, validVersion modifiers
  • Graph extraction missed custom patterns (onlyTreasury, nativeFees[msg.sender])
  • Admin can configure default libraries, DVNs, adapter params
Economic Soundness
Weight 15%72% conf
65
Moderate
  • Cross-chain gas pricing model adds economic complexity
  • Fee model across chains creates arbitrage surface
  • Treasury fee accumulation (treasuryZROFees, nativeFees mappings)
  • 137 state writes with fee-related writes prominent
  • 5 price_feed edges in graph topology
Oracle Integrity
Weight 10%74% conf
60
Moderate
  • DVN replaces oracle model from V1 but adds trust assumptions
  • DVN trust varies per pathway and configuration
  • Default DVN set controlled by LayerZero Labs (centralization)
  • hashLookup mapping is the verification state -- 4-deep nested mapping
  • FPValidator adds proof verification layer
Governance & Upgradeability
Weight 10%78% conf
55
Moderate
  • LayerZero Labs retains significant control over core infrastructure
  • DVN selection initially centralized (Google Cloud, Polyhedra default set)
  • ZRO token governance immature
  • registerLibrary, setDefaultSendVersion, setDefaultReceiveVersion all admin-gated
  • Security council provides some decentralization
Battle-Tested Maturity
Weight 10%80% conf
82
Strong
  • V1 live since 2022, V2 since 2024 (~4+ years org maturity)
  • No major exploits on core messaging infrastructure
  • V1->V2 migration demonstrates architectural iteration
  • Extensive audit coverage (Trail of Bits, Zellic, Code4rena)
  • Z-factor: 0.847
Adversarial Resilience
Weight 10%95% conf
64
Moderate
  • Score derived from continuous adversarial security research
Cross-Chain Messaging
Weight 10%72% conf
55
Moderate
  • DVN trust model: message verification depends on DVN set honesty
  • Message ordering: no guaranteed ordering across channels
  • Replay protection implemented but cross-chain state sync inherently fragile
  • Liveness: DVN failure can halt message delivery per pathway
  • 30+ chain deployments: each chain adds verification surface
  • 113 reentry edges -- cross-chain callbacks create reentrancy surface
Compositional Risk
Weight 5%72% conf
52
Concerning
  • 100+ protocols depend on LayerZero for cross-chain messaging
  • Any core vulnerability cascades to entire ecosystem
  • 103 external calls across 9 contracts
  • OApp integration bugs are outside LayerZero control
  • Stargate, Radiant, Aptos bridge all depend on LZ
Supply Chain
Weight 5%76% conf
72
Good
  • Custom messaging libraries (non-standard patterns)
  • Complex dependency graph across chain deployments
  • OFT standard adds integration complexity
  • 4 trust_dependency edges in core graph
  • Dual ULN versions (301, 302) add maintenance surface
Operational Security
Weight 5%76% conf
75
Good
  • Active cross-chain monitoring infrastructure
  • Security council with incident response capability
  • Bug bounty program active on Immunefi
  • Demonstrated response during V1->V2 migration
Cascade Exposure
Weight 5%55% conf
84
Strong
  • Appears in 1 cross-protocol cascade chain(s)
  • Failure cascades to 4 downstream protocol(s)
  • Member of 1 dependency cluster(s)
  • Score: 84/100 (higher = more isolated from systemic risk)
  • Source: cross_protocol_composition.json dependency analysis

Risk Drivers

Primary risk factors driving this score, ordered by severity.

Compositional Risk52
Governance & Upgradeability55
Cross-Chain Messaging55

Adversarial Risk Signals

Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.

Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Deployed 2022-03-01Z-Factor 0.78011 active dimensions

Score History & Verification

Score provenance tracking begins with the next reassessment.

On-Chain Data

Protocol Slug
"layerzero"
Oracle
BRORegistry (Base)
Evidence
IPFS (pinned)
Staleness Threshold
24 hours
Read Score
registry.getScore("layerzero")

Reduce exploitable risk

BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.

View Monitoring PlansHow Scores Work
Believe this score contains a factual error? Submit evidence for review →