Summa founder James Prestwich has accused the $382 million LayerZero bridging protocol of hosting a “critical vulnerability.”
According to a Jan. 30 post by Prestwich, this vulnerability “could result in theft of all user funds.” LayerZero CEO Bryan Pellegrino has called Prestwich’s accusation “absolutely shocking” and “wildly dishonest,” claiming that the vulnerability only applies to applications that don’t modify the default configuration.
Absolutely shocking that a competitor would put out a wildly dishonest post about us. Happy to have @zellic_io @osec_io @ZOKYO_io or any other of the auditing firms come comment and dispel but let me summarize.
If you set up your own config, absolutely none of this is true https://t.co/zXdqkqO4rZ
— Bryan Pellegrino (@PrimordialAA) January 30, 2023
LayerZero is a protocol used to create cross-chain blockchain bridges. Its most notable application is the Stargate Bridge, which can be used to move coins between several different blockchain networks, including Ethereum, BNB Chain (BNB), Avalanche (AVAX), Polygon (MATIC) and others. Stargate has $382 million of total value locked (TVL) in its smart contracts as of Jan. 30, according to DeFi Llama.
According to its whitepaper, the LayerZero protocol provides a trustless way of moving cryptocurrencies from one network to another. It does this by using an Oracle and Relayer to verify that coins are locked on one chain before allowing a coin to be minted on a different chain. As long as the Oracle and Relayer are independent and do not collude with each other, it should be impossible for coins to be minted on the destination chain without first being locked on the originating chain.
However, Prestwich claimed in a Jan. 30 blog post that Stargate and other bridges that use the “default configuration” for LayerZero suffer from a critical vulnerability. He claimed this vulnerability allows the LayerZero team to remotely change “the default Receiving library” or to “arbitrarily modify message payloads,” which can enable the team to bypass the Oracle and Relayer to transmit any message they want across the bridge. This implies that when LayerZero is used with its default configuration, it relies upon trust in the LayerZero team rather than in a decentralized protocol for its security.
Prestwich further claimed that Stargate suffers from this vulnerability since it uses the default configuration. To mitigate against this vulnerability, Prestwich advises app developers who use LayerZero to alter their smart contracts to change the configuration. However, he says that most LayerZero apps still use the default configuration, putting them at risk.
LayerZero CEO Bryan Pellegrino vigorously denied Prestwich’s claims, calling them “wildly dishonest” in a Jan. 30 tweet.
In a conversation with Cointelegraph on Jan. 31, Pellegrino stated that all validation libraries “are immutable forever, period.” The team can add new libraries but “can never change, remove, or do anything to” the ones that already exist. While the team can add new libraries to the registry, if an app has already chosen a particular library or set of libraries to be used, this cannot be changed by the LayerZero team.
Pellegrino admitted that the library an app “points to” can be changed by the LayerZero team if the app developer is using the defaults, but not if it has already moved away from the default configuration.
As for Prestwich’s claim that Stargate is at risk, Pellegrino responded by saying that the StargateDAO voted on Jan. 3 to change its library from the default to a specific one that is more gas-efficient. He expects this library change to be implemented “this week (likely today).” Once this update is made, “that will never be able to change on them unless Stargate votes and changes it themselves.”
Cross-chain bridge security has been a hot topic in the crypto community over the past few years, as millions of dollars have been lost through bridge hacks. In May, 2022, the Axie Infinity Ronin Bridge was exploited for $600 million by an attacker who stole keys to the developers’ multi-sig wallet and used it to mint coins without any backing. A similar attack occurred against the Harmony Horizon Bridge on June 24, 2022. Over $100 million was lost in the Horizon attack. The Harmony team has since relaunched the bridge using the LayerZero protocol.