LayerZero bridging protocol denies accusation of 'critical vulnerabilities'

Published at: Jan. 31, 2023

Summa founder James Prestwich has accused the $382 million LayerZero bridging protocol of hosting a “critical vulnerability.” 

According to a Jan. 30 post by Prestwich, this vulnerability “could result in theft of all user funds.” LayerZero CEO Bryan Pellegrino has called Prestwich’s accusation “absolutely shocking” and “wildly dishonest,” claiming that the vulnerability only applies to applications that don’t modify the default configuration.

Absolutely shocking that a competitor would put out a wildly dishonest post about us. Happy to have @zellic_io @osec_io @ZOKYO_io or any other of the auditing firms come comment and dispel but let me summarize. If you set up your own config, absolutely none of this is true https://t.co/zXdqkqO4rZ

— Bryan Pellegrino (@PrimordialAA) January 30, 2023

LayerZero is a protocol used to create cross-chain blockchain bridges. Its most notable application is the Stargate Bridge, which can be used to move coins between several different blockchain networks, including Ethereum, BNB Chain (BNB), Avalanche (AVAX), Polygon (MATIC) and others. Stargate has $382 million of total value locked (TVL) in its smart contracts as of Jan. 30, according to DeFi Llama.

According to its whitepaper, the LayerZero protocol provides a trustless way of moving cryptocurrencies from one network to another. It does this by using an Oracle and Relayer to verify that coins are locked on one chain before allowing a coin to be minted on a different chain. As long as the Oracle and Relayer are independent and do not collude with each other, it should be impossible for coins to be minted on the destination chain without first being locked on the originating chain.

However, Prestwich claimed in a Jan. 30 blog post that Stargate and other bridges that use the “default configuration” for LayerZero suffer from a critical vulnerability. He claimed this vulnerability allows the LayerZero team to remotely change “the default Receiving library” or to “arbitrarily modify message payloads,” which can enable the team to bypass the Oracle and Relayer to transmit any message they want across the bridge. This implies that when LayerZero is used with its default configuration, it relies upon trust in the LayerZero team rather than in a decentralized protocol for its security.

Prestwich further claimed that Stargate suffers from this vulnerability since it uses the default configuration. To mitigate against this vulnerability, Prestwich advises app developers who use LayerZero to alter their smart contracts to change the configuration. However, he says that most LayerZero apps still use the default configuration, putting them at risk.

Related: Cross-chain interoperability remains a barrier to crypto mass adoption

LayerZero CEO Bryan Pellegrino vigorously denied Prestwich’s claims, calling them “wildly dishonest” in a Jan. 30 tweet. 

In a conversation with Cointelegraph on Jan. 31, Pellegrino stated that all validation libraries “are immutable forever, period.” The team can add new libraries but “can never change, remove, or do anything to” the ones that already exist. While the team can add new libraries to the registry, if an app has already chosen a particular library or set of libraries to be used, this cannot be changed by the LayerZero team.

Pellegrino admitted that the library an app “points to” can be changed by the LayerZero team if the app developer is using the defaults, but not if it has already moved away from the default configuration.

As for Prestwich’s claim that Stargate is at risk, Pellegrino responded by saying that the StargateDAO voted on Jan. 3 to change its library from the default to a specific one that is more gas-efficient. He expects this library change to be implemented “this week (likely today).” Once this update is made, “that will never be able to change on them unless Stargate votes and changes it themselves.”

Cross-chain bridge security has been a hot topic in the crypto community over the past few years, as millions of dollars have been lost through bridge hacks. In May, 2022, the Axie Infinity Ronin Bridge was exploited for $600 million by an attacker who stole keys to the developers’ multi-sig wallet and used it to mint coins without any backing. A similar attack occurred against the Harmony Horizon Bridge on June 24, 2022. Over $100 million was lost in the Horizon attack. The Harmony team has since relaunched the bridge using the LayerZero protocol.

Tags
Related Posts
DeFi hacks and exploits total $285M since 2019, Messari reports
Decentralized finan’s rising popularity since 2019 has seen the emerging market segment become a target for hackers and opportunistic profiteers. According to a report by crypto research company Messari, DeFi protocols have lost about $284.9 million to hacks and other exploit attacks since 2019. This figure is about 0.65% of the adjusted total value locked of the Ethereum-based DeFi market, according to data from DappRadar. In February Messari calculated that over $284 million in DeFi was lost to hacks since 2019 At this point in time, the decentralized insurance industry only covers a fraction of TVL in DeFi. The need …
Blockchain / April 29, 2021
ImmuneFi report $10B in DeFi hacks and losses across 2021
Decentralized finance, or DeFi, security platform and bug bounty service ImmuneFi published an official report on Thursday which calculated the total volume of losses in the cryptocurrency markets in 2021. According to its report, the company found that losses resulting from hacks, scams and other malicious activities exceeded $10.2 billion dollars over the past year. Responsible for protecting over $100 billion worth of assets for a number of well-established DeFi protocols, including Synthetix, Chainlink, SushiSwap and PancakeSwap, among others, ImmuneFi has regularly facilitating seven-figure pay-outs to whitehat hackers and other good-willed entities for preventing protocol compromises. According to the report, …
Decentralization / Jan. 7, 2022
DeFi attacks are on the rise — Will the industry be able to stem the tide?
The decentralized finance (DeFi) industry has lost over a billion dollars to hackers in the past couple of months, and the situation seems to be spiraling out of control. According to the latest statistics, approximately $1.6 billion in cryptocurrencies was stolen from DeFi platforms in the first quarter of 2022. Furthermore, over 90% of all pilfered crypto is from hacked DeFi protocols. These figures highlight a dire situation that is likely to persist over the long term if ignored. Why hackers prefer DeFi platforms In recent years, hackers have ramped up operations targeting DeFi systems. One primary reason as to …
Adoption / May 14, 2022
Developers need to stop crypto hackers — or face regulation in 2023
Third-party data breaches have exploded. The problem? Companies, including cryptocurrency exchanges, don’t know how to protect against them. When exchanges sign new vendors, most just innately expect that their vendors employ the same level of scrutiny as they do. Others don’t consider it at all. In today’s age, it isn’t just a good practice to test for vulnerabilities down the supply chain — it is absolutely necessary. Many exchanges are backed by international financiers and those new to financial technologies. Many are even new to technology altogether, instead backed by venture capitalists looking to get their feet wet in a …
Bitcoin Regulation / Nov. 3, 2022
Top 7 cybersecurity jobs in high demand
In today’s digital age, cybersecurity has become a critical aspect of almost every business. Cyber threats are increasing daily, and businesses must take proactive measures to protect their networks and data. As a result, the demand for cybersecurity professionals has skyrocketed. Little Friday humour #meme #cybersecurity @hackurityio pic.twitter.com/MArEpCh03k — Harold De Vries (@devries_harold) February 17, 2023 In this article, we will discuss the top seven cybersecurity jobs that are in high demand. Cybersecurity analyst A cybersecurity analyst is responsible for identifying and mitigating cyber threats to an organization’s network and data. They examine system logs and network traffic to find …
Technology / Feb. 26, 2023