LayerZero default library contract security risks spark debate; researchers point out cross-chain message forgery vulnerabilities

BlockBeats News, May 8 — Earlier today, in the ETHSecurity Community Telegram group, a heated debate erupted between LayerZero co-founder Bryan Pellegrino and security researchers. The researchers pointed out that LayerZero’s default library contract has a fatal flaw, allowing LayerZero Labs to upgrade the contract instantly without a time lock, thereby forging cross-chain messages. This is the fundamental reason behind the previous rsETH attack incident. It is reported that over $3 billion worth of LayerZero OFT (Omnichain Fungible Tokens) have been at risk because of this.

According to Banteg, as of a few weeks ago, mainstream projects such as Ethena and EtherFi were still using this risky default library contract. Currently, approximately $178 million remains exposed to potential attack risks. On-chain data disclosed by him shows that LayerZero Labs’ multisignature signers have engaged in non-multisignature activities, including trading meme coins, swapping on DEXs, and cross-chain bridge operations. This indicates that production environment multisignature keys are connected to regular websites, greatly increasing the risk of phishing attacks. Critics bluntly stated that LayerZero’s private key management is “like that of a high school student.”

In response, LayerZero co-founder Bryan stated that the relevant signers have been removed, the transactions were “tests,” and that the default configuration is suitable for “teams that do not prioritize security,” emphasizing that most major apps have switched, and LayerZero is actively promoting user security, but has not held all applications accountable one by one.