Cross-Chain Security Principles: Why Lido’s Network Expansion Committee Chose Chainlink CCIP

May 14, 2026 in Multichain by Lido

Cross-chain bridge exploits have resulted in nearly $3 billion in hacked funds, making cross-chain infrastructure one of the most important security decisions for any asset expanding beyond its origin chain. The Kelp / LayerZero exploit has further highlighted the importance of carefully evaluating bridge security, operational safeguards, and issuer controls when expanding assets across networks.

Lido contributors are publishing this post to explain the security principles behind the protocol’s cross-chain strategy for Wrapped Staked Ether (wstETH), address community concerns over bridging standards across DeFi, and explain why Chainlink CCIP was selected as the official cross-chain infrastructure for wstETH. As wstETH continues its multi-chain expansion, user protection, DAO sovereignty, and maintaining the highest security standards are fundamental priorities for the protocol.

From Canonical Bridges to Chainlink CCIP

Currently, most cross-chain wstETH deployments rely on canonical bridges. The Network Expansion Committee (NEC), acting on behalf of the Lido DAO, reviews these deployments and formally recognizes them to make sure they adhere to the security standards and that the DAO retains ownership of these contracts. However, in practice this means that each cross-chain deployment is unique in terms of the set-up and requires monitoring of various systems rather than a single technical solution. Further, since the majority of recognized bridges are optimistic in nature, this approach reduces the efficiency of wstETH liquidity and arbitrage (since there is a 7+ day waiting period to withdraw back to mainnet).

Due to this, in November 2025 NEC chose to adopt Chainlink’s Cross-Chain Interoperability Protocol (CCIP) as the official cross-chain infrastructure for wstETH. With this integration, all cross-chain transfers of wstETH will be secured by Chainlink CCIP by leveraging the Cross-Chain Token (CCT) standard. Chainlink CCIP is already being used by wstETH on transactions between Ethereum, MegaETH, Monad and more. In the coming months, CCIP will be progressively implemented for wstETH bridges on the rest of the supported chains in stages, with thorough multi-step execution. In addition to securing cross-chain wstETH transfers, Chainlink CCIP also powers Lido’s Direct Staking rails, enabling users to stake ETH directly from L2 networks (e.g., Arbitrum, Base, and Optimism) and receive wstETH.

Bridge Security Considerations for wstETH

Recent cross-chain security incidents, including the Kelp / LayerZero exploit, have prompted questions from the community about how bridge design, operational controls, and safeguards apply to wstETH’s multi-chain expansion. The following table summarizes key architectural and operational considerations relevant to wstETH’s use of Chainlink CCIP, and highlights how this setup addresses the security principles prioritized by Lido DAO contributors.

	Chainlink CCIP	LayerZero
Decentralization	• 16 independent node operators validate all bridge lanes • Transparent security model easily communicated to end-users	• Default 2/2 DVN configuration • Limited decentralization options for DVN setups • Lack of standardized bridging configurations leads to different risk profiles on different chains
Safeguards	• Native support for rate-limiting defined on a per chain lane basis • Extensive offchain monitoring and alerting to halt lanes during abnormal chain activity • Siloed deployments (each lane interacts only with mainnet) rather than a meshed bridging network. • Lido DAO retains governance oversight, minting limits, and emergency-response controls	• Rate limiting requires custom engineering as an extension • Safety and risk logic implementation, including active monitoring, outsourced to asset issuers
Sovereignty	• CCIP preserves issuer control over all token contracts • No CCIP-specific logic required to be within token contract deployments • Eliminates structural vendor lock-in risk which ensures flexibility for future upgrades	• OFT tightly couples ERC20 to LayerZero infrastructure • Technical vendor lock-in makes it harder to migrate to alternative solutions in the future

Chainlink CCIP provides decentralization, native safeguards, and issuer control as part of its protocol-level design. These properties align closely with the security requirements Lido contributors identified for wstETH’s multi-chain expansion and help reduce exposure to risks associated with cross-chain transfer infrastructure.

1) Decentralized by Default, Secure by Default

The original priority for the NEC was to select a cross-chain architecture that delivers strong security-oriented design to minimize to the fullest extent possible potential bridge failure risk for wstETH holders and integrated DeFi applications.Aligned with the DAO’s security-first stance, CCIP does not rely on a single verifier, machine, or infrastructure provider. Rather, every CCIP bridge lane is secured by a minimum of 16 independent node operators that achieve decentralized consensus on every cross-chain interaction. CCIP node operators implement infrastructure diversity, including on-premise bare-metal and multi-region cloud deployments, along with operating robust RPC infrastructure with multiple layers of redundancies and verification checks. Robust cross-chain security and decentralization is a fundamental property built into the CCIP protocol itself.

During the October 20, 2025 AWS outage that impacted major web services and other cross-chain providers, CCIP experienced no downtime and remained fully operational thanks to this infrastructure diversity. Node operators in the Chainlink ecosystem include global enterprises, leading Web3 DevOps teams, and experienced Chainlink ecosystem projects, including organizations that also operate infrastructure for the Lido protocol such as P2P, Stakefish, StakingFacilities, and Everstake.

CCIP was chosen because these defense-in-depth principles are incorporated into its protocol foundation, helping reduce exposure to the types of risks that have affected some cross-chain systems.

2) Availability of Built-In Safeguards

An important consideration in selecting CCIP was that the protocol provides built-in safeguards by providing native support for issuer-managed rate limits. Such rate limiting can serve as circuit breakers that intentionally limit the flow of wstETH across chains during extreme market volatility, systemic stress, or operational disruption. CCIP rate limits are defined on a per chain lane basis, including a rate limit capacity (max amount per transaction) and a rate limit refill rate (rate at which available capacity is replenished). The specific rate limit configuration for each wstETH CCIP bridge lane can be seen on the CCIP Directory for wstETH.

A second consideration was the availability of siloed deployments, where each bridge only interacts between Ethereum Mainnet and the destination chain, rather than a meshed set-up where all bridge lanes interact with each other. In this case, if something were to go wrong with a single chain, it is contained to that specific lane rather than the full bridging set-up.

Furthermore, CCIP is covered by extensive offchain monitoring and alerting infrastructure to detect and react to any abnormal activity with the underlying blockchain networks, such as unexpected finality violations, chain re-organizations, or other network abnormalities.

Finally, Lido contributors are working with Chainlink to add secondary confirmations as an additional safeguard measure, where large wstETH transactions require an additional attestation before confirmation.

3) Issuer Sovereignty Without Vendor Lock-in

The NEC sought a multi-chain expansion strategy that prioritized long-term sovereignty, ensuring the protocol maintains control over all wstETH deployments, without any form of vendor lock-in. The NEC also considered whether cross-chain infrastructure choices could introduce dependencies that may limit future flexibility or make later migrations more complex.

By adopting Chainlink’s Cross-Chain Token (CCT) standard for wstETH, sovereignty is maintained over all token contracts. By eliminating the requirement to embed any CCIP-specific logic within wstETH token deployments, the CCT standard ensures flexibility for future upgrades, governance-led adjustments, and shifts in cross-chain architecture. Importantly, this prevents structural lock-in, allowing for the maintenance of long-term control over the wstETH multi-chain strategy.

Securing Cross-Chain wstETH

The decision to choose Chainlink CCIP serves as a broader imperative for the DeFi ecosystem: multi-chain expansion is a mission-critical infrastructure choice. Asset issuers must evaluate cross-chain systems with the same rigor they apply to custody, governance, and smart contract security.

The selection of interoperability infrastructure must move beyond considerations of convenience or ecosystem reach. Instead, asset issuers must evaluate their cross-chain strategy based on the most rigorous security and architectural standards:

What is the actual security floor that users inherit by default?
Are operational safeguards natively embedded within the infrastructure, or does the issuer need to implement additional controls independently?
Does the underlying architecture preserve issuer control, or does it introduce hidden, proprietary dependencies?
Can protocol governance evolve the cross-chain design over time without being constrained by structural lock-in?

The selection of Chainlink CCIP was driven by the protocol’s ability to provide the clearest and most secure answers to these fundamental requirements.

Building a Secure DeFi Ecosystem

As more value moves across chains, infrastructure will increasingly be evaluated on its ability to securely support critical assets at scale.

Cross-chain infrastructure must be secure by default, operationally resilient, and aligned with issuer sovereignty. Chainlink’s defense-in-depth model acts as the definitive standard for cross-chain interoperability, and a rigorous path for sustainable multi-chain expansion.

This rigorous standard and alignment with these security principles is why the NEC selected Chainlink CCIP as the official infrastructure for wstETH.

The information provided in this blog is for informational purposes only and reflects our views and understanding at the time of writing. The content does not constitute professional advice of any kind, including but not limited to legal, financial, investment, or regulatory advice.

Readers should not rely solely on the information presented here, and are strongly encouraged to conduct their own independent research and consult with qualified professionals before making any decisions based on the content.