Deny allegations of vulnerabilities
Bryan Pellegrino, CEO of LayerZero Labs, denied on the 31st that there was a vulnerability in the cross-chain protocol “LayerZero” being developed by the company.
Absolutely shocking that a competitor would put out a wildly dishonest post about us. Happy to have @zellic_io @osec_io @ZOKY_io or any other of the auditing firms come comment and dispel but let me summarize.
If you set up your own config, absolutely none of this is true https://t.co/zXdqkqO4rZ
— Bryan Pellegrino (@PrimordialAA) January 30, 2023
The origin of the matter was pointed out by Mr. James Prestwich, the founder of Nomad, who has a competing relationship with the company. On the 31st, Prestwich claimed that two of LayerZero’s smart contracts were vulnerable.
What is a smart contract
Refers to a mechanism for enforcing a contract according to pre-programmed conditions. Ethereum (ETH) is a typical blockchain that implements smart contract functions.
When concluding various contracts, it is often necessary to have an intermediary and administrative work such as drafting contracts. is expected.
Relation: Adoption and further expansion of LayerZero bridge “Stargate”
Mr. Prestwich claims that the contract related to “Endpoint” and “UltraLightNodeV2” is vulnerable. Vulnerabilities in those two allow LayerZero to exploit apps that use LayerZero if they leave the default settings in place, he said.
Specifically, he points out that there is a “backdoor” that allows LayerZero to send messages without requiring the signature of an intermediary such as a relay or an oracle. For example, LayerZero can send fraudulent messages to apps to bypass “2of2” multisigs by relayers and oracles, as well as steal crypto assets (virtual currencies).
Mr. Pellegrino of LayerZero countered this point as follows.
All suggestions are based on default settings. The feature pointed out was made for when the team is testing the feature when security is not a priority.
All apps are allowed to configure LayerZero on their own, so this is not a flaw or a vulnerability, it’s by design.
Relation: Projects with high possibility of airdrop in the future, such as SUI and zkSync
Background of pointing out
According to “CoinDesk”, which was interviewed for this case, Mr. Pellegrino said that the background of Mr. Prestwich’s point may be a governance vote scheduled for Uniswap, a major decentralized exchange (DEX). I’m watching Uniswap will hold a governance vote to select the provider of the bridge service, he said.
In response to Prestwich’s remarks, several people on Twitter defended LayerZero. For example, the founder of OtterSec, who is in charge of auditing LayerZero, claimed that “this point is the design of LayerZero, and I don’t think it’s a vulnerability.”
I agree with Bryan here — this is explicitly part of LayerZero’s design and not really something I’d consider a vulnerability..
—Robert Chen (@NotDeGhost) January 30, 2023
Other partners said, “This design has been discussed and documented.”
On the other hand, Mr. Prestwich argued that the reason for pointing out the vulnerability was not to criticize it as a competing project. Nomad has been out of the bridge for about six months since last year’s hack, so he says he can’t call himself a competitor in the current situation.
Relation: Hacked Nomad Offers 10% Bounty To Return Cryptocurrency
He revealed that one of his Uniswap voters asked him to investigate LayerZero’s code.
LayerZero guest “GM Radio”
CoinPost Global, a new global version of CoinPost, delivered its first GM Radio on December 15, 2018. As a special guest, Bryan Pellegrino, CEO and co-founder of LayerZero Labs, was invited to speak, saying, “LayerZero is An interview was conducted on the theme of “Building the Future of Web3”. The number of simultaneous viewers exceeded the maximum of 700 people, and the response greatly exceeded expectations.
Listen to the archive here.
⏰ Reminder: Our first #GMRadio is today, starting in 30 minutes (3:30 UTC / 19:30 PST / 12:30 JST)
— CoinPost Global (@CoinPost_Global) December 15, 2022