LayerZero was reported to have used multi-signature wallets to transact Meme coins, and the default library contract upgrade mechanism poses risks.

ChainCatcher reports that, according to market sources, today LayerZero Labs co-founder and CEO Bryan Pellegrino had a fierce debate with security researchers in the ETHSecurity Community Telegram group. The core controversy includes: because LayerZero Labs can immediately upgrade a default library contract with no time limit to forge messages (similar to the rsETH hack), the LZ OFT worth more than $3 billion is recently facing the risk of being stolen; researcher Banteg pointed out that mainstream projects such as Ethena and EtherFi have still been using that default library contract for weeks, and currently $178 million worth of assets remains exposed to risk—these funds are from projects that are still using the default library contract.

On-chain data shows that LayerZero Labs multi-signature signers took part in non–multi-signature activities such as meme coin trading, DEX swaps, and cross-chain bridging, which indicates that the multi-signature keys in the production environment were connected to the website, increasing phishing risks. Regarding the use of production-environment multi-signature keys for transactions by LayerZero multi-signature signers, Bryan confirmed that the related transactions were carried out by team members who had multi-signature access, but denied that they were “meme coin trades,” explaining them as “testing PEPE on the LZ OFT token standard,” and said the involved members have been removed. Bryan also suggested that projects should “directly lock in fixed configurations” rather than using defaults to reduce risk. Banteg then tagged a long list of LayerZero users who are still using the default library contract, pointing out that these projects should migrate to fixed configurations as soon as possible.