LayerZero DVN Setups — which DeFi protocols are on 1x1, 2x2, 3x3?

A verifiable snapshot of which required-DVN stack secures each major LayerZero-based protocol. Dune shows the ecosystem slices; this page names the protocols.

Updated: April 2026 Source: LayerZero Scan + on-chain EndpointV2.getConfig Published by ilmeaalim.com

Context: KelpDAO rsETH incident (April 2026).

The $290M drain on KelpDAO's rsETH traced back to a 1-of-1 DVN configuration — a single verifier could unilaterally approve cross-chain messages. This page exists because Dune's chart showed the ecosystem-wide split (47% on 1-of-1) without naming protocols. Knowing the aggregate doesn't help you if you don't know which protocols you use are on which tier.

Ecosystem snapshot (all ~2,665 active OApps — not this curated list)

From Duny's Dune analysis, aggregated across the entire LayerZero V2 ecosystem over the last 90 days. This is the universe; our curated list below is a hand-picked sample of well-known DeFi protocols.

47% · 1-of-1

45% · 2-of-2

5% · 3+

1-of-1 (single DVN) 2-of-2 (two required DVNs) 3-of-3 or higher Other / unconfigured

Our curated list — well-known DeFi protocols

Below are 19 hand-picked DeFi protocols with their current DVN configurations. This is our own curated snapshot — the distribution here is not the ecosystem distribution above, because we deliberately focused on names users recognise.

All Stablecoins DEX Bridge Lending LRT / LST RWA Other

Recommended Actions

What to do with this information depends on who you are. Pick the track that fits, and act on it — awareness without action doesn't reduce risk.

DeFi User

Check every protocol you hold value in against this page or LayerZero Scan.
If a protocol is in the Highly Risky bucket, size your position accordingly — a single compromised DVN can freeze or drain funds.
Prefer bridges & OFTs with 2+ required DVNs for large transfers.
Ask protocols publicly (Discord, Twitter) which DVNs secure their OApp. Silence is a signal.

Protocol Team

Pull your current config: EndpointV2.getConfig(oapp, receiveLib, srcEid, 2) on every chain you deploy to.
If you're on 1-of-1, move to at least 2-of-2 with independent DVN operators (different trust domains, not two from the same org).
Add optional DVNs with a threshold to survive a single-DVN liveness failure without halting messages.
Publish your DVN stack on your docs page. Users shouldn't have to decode UlnConfig structs to know who's securing their bridge.
Review your executor and send library config too — DVNs are necessary but not sufficient.

Builder / Auditor

Run Blockaid's 1-of-N audit script across the OApps in your portfolio or scope.
Include DVN configuration in your security review checklist for any LayerZero integration.
Watch for required vs. optional DVN shuffling: moving a DVN from required to optional weakens security without changing the headline "N DVNs" count.
Help us fill in gaps — if you've verified a protocol's live config, email us and we'll update this page with a citation.

Everyone

Don't assume "LayerZero-secured" means multi-party. Roughly 47% of live OApps are still 1-of-1.
Ask before you trust. Every cross-chain action has a DVN set securing it — know who's in that set.
Bookmark this page. We refresh the snapshot when major protocols change configs or when new high-profile incidents hit.

Methodology & How to Verify

Two different populations on this page

The ecosystem snapshot (47% / 45% / 5%) is from Duny's Dune analysis and covers all ~2,665 active LayerZero OApp contracts over 90 days. The per-protocol cards below cover only the well-known DeFi protocols we track by name. The two don't match because the ecosystem includes thousands of tiny/abandoned OApps that never moved off the 1-of-1 default, while our curated list is biased toward established names that almost always upgrade.

What do "1-of-1", "2-of-2", "3-of-3" mean?

They're shorthand for how many required DVNs must attest before a message is delivered. "2-of-2" means 2 required DVNs are configured and both must sign. Optional DVNs (with a threshold) add defense-in-depth against liveness failures, but they don't rescue you from a compromised required DVN — if a required DVN refuses to sign, the message is blocked regardless.

Risk tiers on this page

Highly Risky — 1 required DVN: a 1-of-1 (or 1-of-N) pathway. Single point of failure. LayerZero's default for new OApps; ~47% of all active OApps per the Dune / @dune analysis.
Risky — 2 required DVNs: 2-of-2. Both must verify; both must fail or collude to break the pathway. Industry-common baseline; ~45% of OApps.
Better — 3+ required DVNs: 3-of-3 or higher. High bar for collusion or simultaneous failure. Only ~5% of OApps.

Where does the per-protocol data come from?

This is a curated snapshot. No free, pre-indexed public dataset maps individual protocols to DVN setups today. To get live data you either (a) run Blockaid's public audit script against a free RPC, or (b) call EndpointV2.getConfig(oapp, receiveLib, srcEid, 2) on-chain and decode the UlnConfig struct. Every protocol card links directly to its page on LayerZero Scan where you can inspect the live config.

How to update this page

All protocol data lives in the PROTOCOLS array at the top of the <script> block. Each entry has name, category, required, optional, threshold, chains, verified, and scanUrl. Edit the array and refresh — no build step.