LayerZero was reported to have used multi-signature wallets to transact Meme coins, and the default library contract upgrade mechanism is considered risky.

ChainCatcher reports, citing market sources, that LayerZero Labs co-founder and CEO Bryan Pellegrino had a heated dispute today with security researchers in the ETHSecurity Community Telegram group. The core controversy includes: because LayerZero Labs can immediately upgrade a default library contract with no time limit to forge messages (similar to the rsETH hack), LZ OFT worth more than $3 billion faces a risk of being stolen; researcher Banteg noted that mainstream projects such as Ethena and EtherFi were still using this default library contract weeks ago, and that $178 million in value remains exposed to risk—these funds come from projects that are still using the default library.

On-chain data shows that LayerZero Labs multi-signature signers took part in activities that are not multi-sig activities, such as meme coin trading, DEX swaps, and cross-chain bridging—meaning that the official environment’s multi-sig keys had been connected to the website, increasing phishing risks. Regarding the fact that, for transactions involving LayerZero multi-signature signers using production environment keys, Bryan confirmed that these transactions were completed by multi-sig team members, he denied that they were “meme coin trades,” explaining it as “testing PEPE on the LZ OFT token standard,” and said the involved members have been removed. Bryan also advised projects to “directly fix configurations” rather than relying on default configurations to reduce risk. Banteg then tagged a long list of LayerZero users who are still using the default library contract, pointing out that these projects should migrate to fixed configurations as soon as possible.