LayerZero was reported to have used multi-signature wallets to transact Meme tokens, and the default library contract upgrade mechanism is considered risky.

Golden Finance reports that on May 8th, according to market sources, Bryan Pellegrino, co-founder and CEO of LayerZero Labs, engaged in a heated debate with security researchers in the ETHSecurity Community Telegram group.
The core controversy includes: because LayerZero Labs can immediately upgrade a default library contract without time restrictions to forge messages (similar to the hack of rsETH), the $3 billion+ worth of LZOFT is recently at risk of theft;
Researcher Banteg pointed out that mainstream projects like Ethena and EtherFi still used the default library contract weeks ago, and currently $178 million worth of assets are exposed to risk, with these funds coming from projects still using the default library.
On-chain data shows that LayerZero Labs multi-signature signers participated in non-multisignature activities such as Meme coin trading, DEX swaps, and cross-chain bridging, indicating that the production environment multisig keys had connected to the website, increasing phishing risks.
Regarding the use of production environment keys for trading activities by LayerZero multisignature signers, Bryan confirmed that the transactions were completed by team members with multisig access but denied they were “meme coin trades,” explaining it as “testing PEPE on the LZOFT token standard,” and stated that the involved members had been removed.
Bryan also suggested that the project team “directly fix the configuration” instead of using default settings to reduce risks.
Banteg then tagged a long list of LayerZero usernames still using default library contracts, pointing out that these projects should migrate to fixed configurations as soon as possible.