LayerZero was reported to have used multi-signature wallets to transact Meme tokens, and the default library contract upgrade mechanism poses risks.

ChainCatcher reports that, according to market sources, LayerZero Labs co-founder and CEO Bryan Pellegrino had a heated debate today with security researchers in the ETHSecurity Community Telegram group. The core controversy includes: because LayerZero Labs can immediately upgrade a default library contract without time restrictions to forge messages (similar to the hack of rsETH), the $3 billion+ LZ OFT recently faces theft risks; researcher Banteg pointed out that mainstream projects like Ethena and EtherFi still used the default library contract weeks ago, and currently $178 million remains exposed to risk, with these funds coming from projects still using the default library.

On-chain data shows that LayerZero Labs multi-signature signers participated in meme coin trading, DEX swaps, and cross-chain bridging activities that are not multi-sig activities, indicating that the official environment multi-sig keys were connected to the website, increasing phishing risks. Regarding the use of production environment keys for transactions by LayerZero multi-sig signers, Bryan confirmed that the transactions were completed by team members with multi-sig, but denied they were “meme coin trades,” explaining it as “testing PEPE on the LZ OFT token standard,” and stated that the involved members have been removed. Bryan also suggested that projects “directly fix configurations” instead of using default settings to reduce risks. Banteg then tagged a long list of LayerZero users still using default library contracts, pointing out that these projects should migrate to fixed configurations as soon as possible.