LayerZero CEO denies accusations of critical trusted third-party vulnerabilities
LayerZero CEO Bryan Pellegrino denied accusations that LayerZero — in connection with its Stargate bridge — has two critical trusted third-party vulnerabilities.
«It’s 100% factually incorrect and I’d ask you speak to any auditor who has worked on the project,” Pellegrino told The Block.
He was responding to claims made earlier today by developer James Prestwich, founder and CTO of Nomad, a rival cross-chain protocol.
Prestwich said the two vulnerabilities stem from the LayerZero relayer, which is currently on a two-party multisig. The vulnerabilities can only be exploited by insiders, or team members who have known identities, and this was one of the reasons he released the report, as there’s a lower risk of an external exploit.
The first vulnerability would allow fraudulent messages to be sent from the LayerZero multisig. This type of exploit could result in theft of “all user funds,” Prestwich wrote on Twitter.
The second vulnerability would allow modifying messages after the oracle and multisig have signed off on messages or transactions. Similarly, Prestwich claims this vulnerability could result in the theft of all user funds.
Prestwich said the LayerZero team was “aware of the above vulnerabilities” and “chose not to disclose or otherwise address them.”
Stargate is open to both vulnerabilities and is actively being exploited by the LayerZero team to modify messages, he claimed. Stargate is a bridging protocol that’s one of the largest applications running on LayerZero and was built by the team as a proof of concept for the underlying protocol.
The first vulnerability can be mitigated by applications making some coding configurations. Permanent mitigation of the second vulnerability can’t happen because of the possible addition of new chains, he said.
LayerZero uses oracles and the two-party multisig system to ensure no fraudulent messages or transactions get sent.
In conversation with The Block, Prestwich acknowledged that trusted third-party vulnerabilities are common and not that big of a problem because trusted parties are often trustworthy. However, he said the real problem was LayerZero denying that this was possible and leveraging its access to patch issues with Stargate.
LayerZero dismisses claims
LayerZero’s Pellegrino slammed the report on Twitter, calling it “wildly dishonest.” He said the claims only apply to projects that use the default configurations on the network and that they don’t apply to any that set up their own configurations.
Pellegrino told The Block that it’s good that teams are able to choose how they want to set up their projects. He argued that they should have the ability to choose the settings that they want, depending on their security preferences.
He did acknowledge that most projects built on LayerZero currently use the default configurations. While this does include Stargate right now, a vote was recently passed to change this, and it’s in the process of being executed.
“I think everybody should pick and nobody should use the defaults unless you either trust the multisig to not act maliciously (most do) or are doing something where security isn’t number one priority,” he said.
As for the accusation that LayerZero hid these abilities, Pellegrino said that the team has been very public about them.