LayerZero CEO denies accusations of critical trusted third-party vulnerabilities

Quick Take

  • Nomad CTO James Prestwich made a raft of accusations against rival project LayerZero, claiming it had undisclosed trusted third-party vulnerabilities.
  • LayerZero CEO Bryan Pellegrino dismissed the claims, although he did acknowledge that the issue could affect a majority of projects on LayerZero.

LayerZero CEO Bryan Pellegrino denied accusations that LayerZero — in connection with its Stargate bridge — has two critical trusted third-party vulnerabilities.

"It’s 100% factually incorrect and I'd ask you speak to any auditor who has worked on the project,” Pellegrino told The Block.

He was responding to claims made earlier today by developer James Prestwich, founder and CTO of Nomad, a rival cross-chain protocol.

Prestwich said the two vulnerabilities stem from the LayerZero relayer, which is currently on a two-party multisig. The vulnerabilities can only be exploited by insiders, or team members who have known identities, and this was one of the reasons he released the report, as there's a lower risk of an external exploit.

The first vulnerability would allow fraudulent messages to be sent from the LayerZero multisig. This type of exploit could result in theft of “all user funds,” Prestwich wrote on Twitter.

The second vulnerability would allow modifying messages after the oracle and multisig have signed off on messages or transactions. Similarly, Prestwich claims this vulnerability could result in the theft of all user funds.

Vulnerabilities common

Prestwich said the LayerZero team was “aware of the above vulnerabilities” and “chose not to disclose or otherwise address them.”

Stargate is open to both vulnerabilities and is actively being exploited by the LayerZero team to modify messages, he claimed. Stargate is a bridging protocol that's one of the largest applications running on LayerZero and was built by the team as a proof of concept for the underlying protocol.

The first vulnerability can be mitigated by applications making some coding configurations. Permanent mitigation of the second vulnerability can’t happen because of the possible addition of new chains, he said.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

LayerZero uses oracles and the two-party multisig system to ensure no fraudulent messages or transactions get sent.

In conversation with The Block, Prestwich acknowledged that trusted third-party vulnerabilities are common and not that big of a problem because trusted parties are often trustworthy. However, he said the real problem was LayerZero denying that this was possible and leveraging its access to patch issues with Stargate.

LayerZero dismisses claims

LayerZero's Pellegrino slammed the report on Twitter, calling it “wildly dishonest.” He said the claims only apply to projects that use the default configurations on the network and that they don't apply to any that set up their own configurations.

Pellegrino told The Block that it's good that teams are able to choose how they want to set up their projects. He argued that they should have the ability to choose the settings that they want, depending on their security preferences.

He did acknowledge that most projects built on LayerZero currently use the default configurations. While this does include Stargate right now, a vote was recently passed to change this, and it's in the process of being executed.

I think everybody should pick and nobody should use the defaults unless you either trust the multisig to not act maliciously (most do) or are doing something where security isn’t number one priority,” he said.

As for the accusation that LayerZero hid these abilities, Pellegrino said that the team has been very public about them.


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Authors

Tim is the Editor-In-Chief of The Block. Prior to joining The Block, Tim was a news editor at Decrypt. He has earned a bachelor's degree in philosophy from the University of York and studied news journalism at Press Association Training. Follow him on X @Timccopeland.
Mike is a reporter on the crypto ecosystems team who specializes in zero-knowledge proofs and applications. Prior to joining The Block, Mike worked with Circle, Blocknative, and various DeFi protocols on growth and strategy.

Editor

To contact the editors of this story:
Nathan Crooks at
[email protected]
Madhu Unnikrishnan at
[email protected]