← back to lessons

Lesson: Cross-chain consumer message-trust - where to actually look, and where it's a dead end

Date: 2026-06-11 Class: SEAMS / cross-chain message trust (consumer-side receive-handler) Source case: Venus Protocol OmnichainGovernanceExecutor (LayerZero v1), Arbitrum 0xc1858cCE6c28295Efd3eE742795bDa316D7c7526. WALK-CLEAN.

The 5-subclass checklist for ANY cross-chain consumer (reusable)

When auditing a _lzReceive/_handle/receiveWormholeMessages/_ccipReceive/nonblockingLzReceive consumer, verify ALL five. A gap in any one = potential takeover. Venus passed all five:

What WORKED (method)

What's a DEAD END (negative result, avoid re-mining)

Where the YIELD actually is (forward hunting pointers)

Scope rule (banked)

LayerZero's Immunefi program EXCLUDES "impacts to OApps as a result of their own misconfiguration." A consumer-side trustedRemote/srcChain bug is therefore NOT payable under LayerZero - it must be routed to the CONSUMER protocol's own bounty (here, Venus). Always map a consumer-side finding to the consumer's program, not the bridge's.

Generated 2026-07-02 13:15:05 UTC | auto-sync /15min