Summa founder James Prestwich has accused LayerZero bridge protocol, valued at USD 382 million, of having a “critical vulnerability”.
According to a post of Prestwich on January 30, this vulnerability “could result in the theft of all user funds.” The CEO of LayerZero, Bryan Pellegrino, has described the Prestwich prosecution as “absolutely shocking” Y “wildly dishonest”, stating that the vulnerability only applies to applications that do not modify the default settings.
Absolutely shocking that a competitor would put out a wildly dishonest post about us. Happy to have @zellic_io @osec_io @ZOKYO_io or any other of the auditing firms come comment and dispel but let me summarize.
If you set up your own config, absolutely none of this is true https://t.co/zXdqkqO4rZ
— Bryan Pellegrino (@PrimordialAA) January 30, 2023
LayerZero is a protocol used to create bridges between blockchains. Its most notable application is the Stargate bridge, which can be used to move coins between a number of different blockchain networks, including Ethereum, BNB Chain (BNB), Avalanche (AVAX), Polygon (MATIC), and others. Stargate has $382 million of total value locked (TVL) in its smart contracts as of January 30, according to DeFi Llama.
According to his report, the LayerZero protocol provides a reliable way to move cryptocurrency from one network to another. To do this, it uses an Oracle and a Relayer that verify that the coins are locked in one chain before allowing a coin to be minted in a different chain. As long as the Oracle and Relayer are independent and not colluding with each other, it should be impossible to mint target on-chain coins without first being locked into the source chain.
However, Prestwich claimed in a January 30 blog post that Stargate and other bridges that use the “default configuration” of LayerZero suffer from a critical vulnerability. It claimed that this vulnerability allows the LayerZero team to remotely change “the default receiving library” or “arbitrarily modify message payloads”, which may allow the team to bypass Oracle and Relayer to broadcast any message they want to across the bridge. This implies that when LayerZero is used with its default configuration, your security depends on trust in the LayerZero team and not on a decentralized protocol.
Prestwich further stated that Stargate suffers from this vulnerability since it uses the default configuration. To mitigate this vulnerability, Prestwich advises application developers using LayerZero to modify their smart contracts to change the settings. However, he claims that most LayerZero apps are still using the default settings, which puts them at risk.
LayerZero CEO Bryan Pellegrino strongly denied Prestwich’s claims, calling them “grossly dishonest” in a tweet on January 30.
In a conversation with Cointelegraph on Jan. 31, Pellegrino claimed that all validation libraries “are immutable forever, period.” The team can add new libraries but “can never change, remove, or do anything to” existing ones. Although the team can add new libraries to the registry, if an application has already chosen a certain library or set of libraries to use, this cannot be changed by the LayerZero team.
Pellegrino admitted that the library to which “aim” An app can be modified by the LayerZero team if the app developer is using the defaults, but not if they have already moved away from the default settings.
As for Prestwich’s claim that Stargate is in danger, Pellegrino responded by saying that the StargateDAO voted on January 3 to change their default library to a specific one that is more gas-efficient. Expect this library change to take effect “this week (probably today)”. Once this update is done, “that can never change on them unless Stargate votes and changes it themselves.”
Cross-chain bridge security has been a hot topic in the crypto community in recent years, as millions of dollars have been lost to bridge hacks. In May 2022, Axie Infinity’s Ronin Bridge was compromised for $600 million by an attacker who stole the keys to the developers’ multisig wallet and used it to mint unbacked coins. A similar attack occurred against the Harmony Horizon Bridge on June 24, 2022. Over $100 million was lost in the Horizon attack. Since then, the Harmony team has relaunched the bridge using the LayerZero protocol.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.