Why RPC is a critical attack surface
RPC (Remote Procedure Call) is how an application reads on-chain data and submits transactions to a blockchain. If the RPC endpoint is compromised, every downstream value the application trusts — balances, contract state, transaction confirmations — can be manipulated. That is why attackers increasingly target the RPC layer rather than smart contracts.
The LayerZero exploit was not a smart contract bug. The bridge failed to verify on-chain data: it relied on a quorum of two RPC providers without cryptographic proofs and without requiring multiple independent sources. When those RPCs were compromised, the bridge trusted falsified data and roughly $290M was stolen.
Read the full LayerZero post-mortem
Frequently asked questions
What is RPC security?
RPC security means verifying that data returned by an RPC endpoint is authentic and untampered — typically via cross-validation across multiple independent providers, cryptographic proofs, and quorum mechanisms. If an RPC is compromised, downstream balances, contract state, and transactions can all be manipulated.
How was LayerZero exploited for $290M?
It was not a smart contract bug. The bridge relied on a quorum of two RPC providers without cryptographic proofs and without requiring multiple independent sources. When those RPCs were compromised, the bridge trusted falsified data and roughly $290M was stolen.
Who should take this assessment?
CISOs, security engineers, and infrastructure leads at any organization running multi-chain or cross-chain applications, bridges, wallets, or DeFi protocols that depend on RPC providers.
How long does the assessment take?
About 5 minutes. Around 10 questions across the chains your infrastructure uses. No login required.
What does the report include?
A per-chain RPC security score, an overall posture tier, and prioritized recommendations to close gaps such as missing cross-validation, single-provider dependencies, and absent cryptographic verification.
What is Smart Router?
Smart Router is Magma's RPC security product. It provides data cross-validation, mixed-source quorum, and cryptographic verification across RPC providers to prevent LayerZero-class exploits.