This page is the canonical reference for choosing a production DVN configuration. The shorter Integration Checklist tells you what to do; this page explains why, and gives you the risk-tier guidance to choose between a 2-of-2, a 2-of-3, a 3-of-N, and so on.Documentation Index
Fetch the complete documentation index at: https://docs.layerzero.network/llms.txt
Use this file to discover all available pages before exploring further.
Threat model: what a DVN compromise means
A DVN attests that a specificpayloadHash was emitted by a specific source-chain message. The library on the destination chain accepts a message for delivery only if every required DVN has attested.
A 1-of-1 configuration means a single operator can:
- Forge messages that were never sent on the source chain. Any operation reachable by a forged message — minting tokens on the destination, releasing collateral from a lockbox, granting permissions — can be executed without consent of the OApp owner or the source chain.
- Suppress messages that were sent on the source chain (by simply refusing to attest), creating a censorship channel.
- The DVN operator’s signing keys.
- The DVN operator’s RPC infrastructure (an attacker who compromises every RPC the DVN reads can feed it false source-chain data, causing the DVN to attest forged events with its real keys).
- The DVN operator’s deployment artifacts (binaries, S3-hosted config, etc.).
- A social engineering or insider attack on the operator.
Choosing providers (the diversity rules)
The point of multi-DVN is to reduce correlated failure. A configuration with two DVNs run by the same operator, on the same infrastructure, with the same verification method, has correlated failure — a single compromise still breaks the pathway. Diversity dimensions, in order of priority:- Operator diversity. Two different legal entities. Two different on-call teams. Two different deployment pipelines.
- Infrastructure diversity. Different cloud providers. Different RPC providers. Different signing key custody.
- Verification method diversity. Examples: a node-based committee DVN paired with a zk-proof DVN; a native-bridge DVN paired with an oracle DVN. An attacker who exploits a bug in one method does not automatically compromise the other.
- Geographic / jurisdictional diversity. Less critical for most threat models, but relevant if your pathway is exposed to government-level censorship risk.
X-of-Y-of-N strategies
X-of-Y-of-N lets you mix mandatory and pluggable verifiers:- X (required) — DVNs that must attest every message. Increase X to require more independent witnesses.
- Y (threshold of optional) — minimum number of optional DVN attestations. Increase Y to require redundancy beyond the required set.
- N (total optional) — pool of optional DVNs available. Increase N to widen the pool.
- 2-of-2 strict:
X=2, optional=[]. Both required DVNs must attest. Simplest. Single point of liveness failure for either DVN — if one DVN goes offline, all messages stall. - 2-of-3:
X=2 with one optional, threshold 1(where one of three operators is in the “optional” slot). Two named operators are required; the third operator can sub for one of the named two if needed. Better liveness. - 2-of-3 redundant:
X=2, optional=[N=2, threshold=1]. Two required + at least one of two optional. Tolerates one optional DVN failing. Recommended for medium-value pathways. - 3-of-3 + 1-of-2 optional: Three required + one of two optional. Maximum security floor; widely used for critical assets.
Confirmation depth
confirmations is the number of source-chain blocks the DVN waits before attesting. Low confirmations are fast but allow reorg-vulnerable messages to be confirmed. High confirmations are slow but resilient to source-chain reorgs.
Recommended floors (tune to the source chain’s reorg profile):
- Ethereum mainnet: 15 minimum, 32 (1 epoch) preferred for high-value pathways.
- Optimistic L2s: typically 15–30; consult the L2’s reorg history before going below 15.
- ZK L2s: typically lower (1–5) is acceptable once finality is committed to L1, but check the specific rollup’s finality model.
- Solana: 32 minimum (consult the Solana DVN config docs).
- Move chains (Aptos, Sui, IOTA): consult the per-VM config docs.
[1, 1] for fast iteration during development. Replace with production values before mainnet.
Executor concentration
DVNs support a multi-attestor security stack (X-of-Y-of-N); the Executor does not — there is exactly one Executor per pathway. For high-value pathways, evaluate:- Running your own Executor (see Build Executors).
- Using a different third-party Executor.
- Operating without an Executor and using LayerZero Scan or a custom relayer to call
lzReceive/lzComposedirectly.
Pre-launch checks
Before mainnet, confirm:- Resolved config matches intent. Run
getConfig(or the per-VM equivalent) for every pathway. Compare against your target configuration in this document. Do not rely on defaults — see Default Config Checker. - DVNs are sorted in ascending address order on every
requiredDVNsandoptionalDVNsarray. The contract reverts on unsorted arrays. - Send and receive sides match. A common bug is updating one side and forgetting the other. Both directions of every pathway need symmetric configurations.
- No Dead DVN in your resolved config. A Dead DVN means the message will never be deliverable; this is a configuration error, not a security feature.
- Confirmations are production-grade, not the
[1, 1]development value. - Executor is set explicitly, not inherited from defaults.
- You have a tested rollback procedure for each pathway.
See also
- Security Stack (DVNs) — concept reference
- Migrating from a Single-DVN Configuration — operational migration guide
- Integration Checklist — pre-launch gate
- DVN Addresses — available providers per chain
- LayerZero Bug Bounty Scope — what’s in/out of scope (note: OApp DVN configuration is the OApp owner’s responsibility)