LayerZero bridging protocol denies accusation of ‘critical vulnerabilities’

Share This Post

LayerZero is the protocol used by Stargate bridge, which has over $382 million locked in its smart contracts.

Summa founder James Prestwich has accused the $382 million LayerZero bridging protocol of hosting a “critical vulnerability.” 

According to a Jan. 30 post by Prestwich, this vulnerability “could result in theft of all user funds.” LayerZero CEO Bryan Pellegrino has called Prestwich’s accusation “absolutely shocking” and “wildly dishonest,” claiming that the vulnerability only applies to applications that don’t modify the default configuration.

LayerZero is a protocol used to create cross-chain blockchain bridges. Its most notable application is the Stargate Bridge, which can be used to move coins between several different blockchain networks, including Ethereum, BNB Chain (BNB), Avalanche (AVAX), Polygon (MATIC) and others. Stargate has $382 million of total value locked (TVL) in its smart contracts as of Jan. 30, according to DeFi Llama.

According to its whitepaper, the LayerZero protocol provides a trustless way of moving cryptocurrencies from one network to another. It does this by using an Oracle and Relayer to verify that coins are locked on one chain before allowing a coin to be minted on a different chain. As long as the Oracle and Relayer are independent and do not collude with each other, it should be impossible for coins to be minted on the destination chain without first being locked on the originating chain.

However, Prestwich claimed in a Jan. 30 blog post that Stargate and other bridges that use the “default configuration” for LayerZero suffer from a critical vulnerability. He claimed this vulnerability allows the LayerZero team to remotely change “the default Receiving library” or to “arbitrarily modify message payloads,” which can enable the team to bypass the Oracle and Relayer to transmit any message they want across the bridge. This implies that when LayerZero is used with its default configuration, it relies upon trust in the LayerZero team rather than in a decentralized protocol for its security.

Prestwich further claimed that Stargate suffers from this vulnerability since it uses the default configuration. To mitigate against this vulnerability, Prestwich advises app developers who use LayerZero to alter their smart contracts to change the configuration. However, he says that most LayerZero apps still use the default configuration, putting them at risk.

Related: Cross-chain interoperability remains a barrier to crypto mass adoption

LayerZero CEO Bryan Pellegrino vigorously denied Prestwich’s claims, calling them “wildly dishonest” in a Jan. 30 tweet. 

In a conversation with Cointelegraph on Jan. 31, Pellegrino stated that all validation libraries “are immutable forever, period.” The team can add new libraries but “can never change, remove, or do anything to” the ones that already exist. While the team can add new libraries to the registry, if an app has already chosen a particular library or set of libraries to be used, this cannot be changed by the LayerZero team.

Pellegrino admitted that the library an app “points to” can be changed by the LayerZero team if the app developer is using the defaults, but not if it has already moved away from the default configuration.

As for Prestwich’s claim that Stargate is at risk, Pellegrino responded by saying that the StargateDAO voted on Jan. 3 to change its library from the default to a specific one that is more gas-efficient. He expects this library change to be implemented “this week (likely today).” Once this update is made, “that will never be able to change on them unless Stargate votes and changes it themselves.”

Cross-chain bridge security has been a hot topic in the crypto community over the past few years, as millions of dollars have been lost through bridge hacks. In May, 2022, the Axie Infinity Ronin Bridge was exploited for $600 million by an attacker who stole keys to the developers’ multi-sig wallet and used it to mint coins without any backing. A similar attack occurred against the Harmony Horizon Bridge on June 24, 2022. Over $100 million was lost in the Horizon attack. The Harmony team has since relaunched the bridge using the LayerZero protocol.

Read Entire Article
spot_img
- Advertisement -spot_img

Related Posts

Why XLM Surged Nearly 200%: Key Factors Behind Stellar’s Growth

The post Why XLM Surged Nearly 200%: Key Factors Behind Stellar’s Growth appeared first on Coinpedia Fintech News The Stellar market has grown by at least 478057% since November 5 The sharp surge

Coinbase Explores Blockchain Partnership With Kenya’s Safaricom

Coinbase is reportedly exploring a partnership with Safaricom to enhance M-PESA with blockchain technology This move aligns with Coinbase’s broader strategy of promoting crypto adoption in

CatCoin ($CAT) Launches “Trail of the Cat” Airdrop Campaign on Solana

PRESS RELEASE Muscat, Oman, November 25th, 2024, Chainwire CatCoin ($CAT), a deflationary memecoin on Solana, introduced an airdrop campaign catering to its growing community The “Trail of the

Solana, Dogecoin Expected To Take Bronze And Silver For Gains This Bull Run – But Who’s Going To Take Gold?

The post Solana, Dogecoin Expected To Take Bronze And Silver For Gains This Bull Run – But Who’s Going To Take Gold appeared first on Coinpedia Fintech News Solana (SOL) and Dogecoin

ETH Price Forms Massive Bullish Divergence, While New DeFi Platform Hits New Milestone

The post ETH Price Forms Massive Bullish Divergence, While New DeFi Platform Hits New Milestone appeared first on Coinpedia Fintech News Ethereum’s price faces a crucial resistance zone between

Singapore Gulf Bank Seeks $50M Funding and Stablecoin Acquisition in 2025

The post Singapore Gulf Bank Seeks $50M Funding and Stablecoin Acquisition in 2025 appeared first on Coinpedia Fintech News Singapore Gulf Bank, backed by Bahrain’s Mumtalakat Sovereign Wealth