The security flaws in LayerZero's default library contracts have sparked intense debate in the community today. Researchers pointed out that the contract has a fatal vulnerability: LayerZero Labs can upgrade instantly without a time lock, allowing them to forge cross-chain messages—this is precisely the root cause of the previous rsETH attack incident.

Over $3 billion worth of OFT has been at risk, with approximately $178 million still exposed. Even more concerning, LayerZero Labs' multisignature signers have been reported to engage in non-multisign activities, such as trading meme tokens and DEX swaps, with critics claiming their private key management is "like that of a high school student."
This is not just a technical bug. It exposes a fundamental trust issue in cross-chain infrastructure: when users rely on "immutable" cross-chain messages, the underlying contracts can still be unilaterally manipulated by the project team. Trust has shifted from code to human operations by the project team.
In response, leading protocols like Kelp DAO have deprecated LayerZero and switched to Chainlink CCIP. This marks a divergence in the cross-chain security narrative: from "general-purpose cross-chain bridges" to "verifiable trust-minimized solutions."
For users, it is important to be aware that not all cross-chain solutions are equally secure. Bridges relying on a single project's multisignature governance are fundamentally still "trust assumptions" rather than "trust minimization." When interacting with cross-chain assets, priority should be given to audited and more decentralized solutions.
$zro #link #dex