Security Stack (DVNs)
As mentioned in previous sections, every application built on top of the LayerZero protocol can configure a unique messaging channel.
This stack of multiple DVNs allows each application to configure a unique security threshold for each source and destination, known as X-of-Y-of-N.
In this stack, each DVN independently verifies the payloadHash of each message to ensure integrity. Once the designated DVN threshold has been reached, the message nonce can be marked as verified and inserted into the destination Endpoint for execution.
Each DVN applies its own verification method to check that the payloadHash is correct. Once the required DVNs and optionally a sufficient number of optional DVNs have confirmed the payloadHash, any authorized caller (for example, an Executor) can commit the message nonce into the destination Endpoint’s messaging channel for execution.
The following image and table describe how messages can be inserted into the Endpoint's messaging channel post-verification:
| Message Nonce | Description |
|---|---|
| 1 | The Security Stack has verified the payloadHash and the nonce has been committed to the Endpoint’s messaging channel. |
| 2 | All configured DVNs have verified the payloadHash, but no caller has yet committed the nonce to the Endpoint’s messaging channel. |
| 3 | Two required and one optional DVN have verified the payloadHash, meeting the security threshold, but the nonce has not yet been committed. |
| 4 | Even though the optional DVN threshold is met, the Security Stack requires that every required DVN (e.g. DVNᴬ) must verify the payloadHash before the nonce can be committed. |
| 5 | Only the required DVNs (e.g. DVNᴬ, DVNᴮ) have verified the payloadHash; none of the optional verifiers have submitted their proof. |
| 6 | Both the required DVNs and the optional threshold have verified the payloadHash, but no caller has committed the nonce to the Endpoint’s messaging channel yet. |
Verification Model
Each DVN can use its own verification method to confirm that the payloadHash correctly represents the message contents. This design allows application owners to tailor their Security Stack based on the desired security level and cost–efficiency tradeoffs. For an extensive list of DVNs available for integration, see DVN Addresses.
DVN Adapters
DVN Adapters enable the integration of third-party generic message passing networks, such as native asset bridges, middlechains, or other specialized verification systems. With DVN Adapters, applications can incorporate diverse security models into their Security Stack, broadening the spectrum of available configurations while still ensuring a consistent verification interface via the payloadHash.
Since “DVN” broadly describes any verification mechanism that securely delivers a message’s payloadHash to the destination Message Library, application owners have the flexibility to integrate with virtually any infrastructure that meets their security requirements.
Configuring the Security Stack
Every LayerZero Endpoint can be used to send and receive messages. Because of that, each Endpoint has a separate Send and Receive Configuration, which an OApp can configure per remote Endpoint (i.e., the messaging channel, sending to that remote chain, receiving from that remote chain).
For a configuration to be considered valid, the Send Library configurations on Chain A must match the Receive Library configurations on Chain B.
Default Configuration
For each new channel, LayerZero provides a placeholder configutation known as the default. If you provide no configuration settings, the protocol will fallback to the default configuration.
This default configuration can vary per channel, changing the placeholder block confirmations, the X‑of‑Y‑of‑N thresholds for verification, the Executor, and the message libraries.
A default pathway configuration will typically have one of the following preset Security Stack configurations within SendULN302 and ReceiveUlN302:
| Security Stack | Executor | |
|---|---|---|
| Default Send and Receive A | requiredDVNs: [ Google Cloud, LayerZero Labs ] | LayerZero Labs |
| Default Send and Receive B | requiredDVNs: [ Polyhedra, LayerZero Labs ] | LayerZero Labs |
| Default Send and Receive C | requiredDVNs: [ Dead DVN, LayerZero Labs ] | LayerZero Labs |
You can view all of the current default pathway configurations on LayerZero Scan's Default Configs by Chain.
What is a Dead DVN?
Since LayerZero allows for anyone to permissionlessly run DVNs, the network may occassionally add new chain Endpoints before the default providers (Google Cloud or Polyhedra) support every possible pathway to and from that chain.
A default configuration with a Dead DVN will require you to either configure an available DVN provider for that Send or Receive pathway, or run your own DVN if no other security providers exist, before messages can safely be delivered to and from that chain.
Even if the default configuration presets match the settings you want to use for your application, you should always set your configuration, so that it cannot change. The LayerZero default is a placeholder configuration, and subject to change.
Further Reading
To query and set your application's configuration, you can review these VM-specific guides: