LayerZero was reported to have used multi-signature wallets to transact Meme coins, and the default library contract upgrade mechanism poses risks.

ChainCatcher reports that, according to market sources, LayerZero Labs co-founder and CEO Bryan Pellegrino had a heated dispute today with a security researcher in the ETHSecurity Community Telegram group. The core controversy includes: because LayerZero Labs can immediately upgrade a default library contract without any time limit to forge messages (similar to the rsETH hack), LZ OFT, worth more than $3 billion, recently faces the risk of being stolen. Researcher Banteg noted that mainstream projects such as Ethena and EtherFi were still using the default library contract weeks ago, and that $178 million worth of value is still exposed to risk; these funds come from projects that are still using the default library contract.

On-chain data shows that LayerZero Labs multi-signature signers took part in activities that are not multi-sig-related—such as meme coin trading, DEX swaps, and cross-chain bridging. This means that the official environment multi-sig keys had been connected to the website, increasing phishing risk. Regarding the use of production-environment multi-sig keys for transactions by the LayerZero multi-signature signers, Bryan confirmed that the relevant transactions were carried out by multi-sig team members, but denied that they were “meme coin trades.” He explained it as “testing PEPE on the LZ OFT token standard” and stated that the involved members have been removed. Bryan also suggested that projects should “directly fix configurations” rather than relying on default configurations to reduce risk. Banteg then tagged a long list of LayerZero users still using the default library contract, pointing out that these projects should migrate to fixed configurations as soon as possible.