LayerZero CEO Dismisses Claims of Critical Vulnerability as ‘Baseless’

UTC by Leon Okwatch · 3 min read
LayerZero CEO Dismisses Claims of Critical Vulnerability as ‘Baseless’
Photo: Depositphotos

In response to 0x52, Pellegrino countered by saying that the ability to configure payload limits is a deliberate design choice.

In a series of heated exchanges on X (formerly Twitter), LayerZero Labs’ co-founder and CEO Bryan Pellegrino dismissed claims of a critical vulnerability in the LayerZero protocol as “entirely baseless”.

The controversy began when pseudonymous blockchain security researcher 0x52 disclosed what he claimed to be a critical flaw in LayerZero’s messaging protocol. Since then, 0x52 has deleted his original tweet and apologized for the false alarm.

Details of the Alleged Vulnerability

0x52’s revelations stemmed from his audit of the UXDProtocol under the SherlockDefi audit program. He claimed that LayerZero’s endpoint contract, which handles messages between protocols, didn’t limit the size of messages or destination addresses.

He warned that a hacker could send a message with a very large destination address, causing errors and potentially stopping communication between different blockchain networks. This could lead to significant financial losses for affected protocols.

According to 0x52, this vulnerability could affect many protocols using LayerZero, especially those involving both EVM (Ethereum Virtual Machine) chains and non-EVM chains like Solana, which use different address sizes.

LayerZero CEO’s Response and Design Philosophy

In response to 0x52, Pellegrino countered by saying that the ability to configure payload limits is a deliberate design choice. He explained that enforcing a fixed limit could allow censorship, which goes against LayerZero’s goal of creating a censorship-resistant system.

Pellegrino further clarified that the code referenced by 0x52 dates back to 2022 and pertains to application configuration, not the core protocol. He stated that the payload size limit is part of the app’s security settings and can be adjusted by the app itself. Pellegrino noted that if an app couldn’t override this configuration, LayerZero could potentially block application messaging by setting the payload limit to zero, which would contradict the protocol’s design principles.

Pellegrino encouraged skeptics to fork and test the system themselves, insisting that the issue could only occur if an application specifically opted to configure it that way, similar to how an individual application on Ethereum might have bad contract configurations.

As LayerZero continues to develop, this discussion highlights the need for constant scrutiny of their security protocols.

ZRO Token Launch Faces Mixed Reactions

LayerZero Labs remains confident in the strength and reliability of its cross-chain interoperability technology, which allows smart contracts on different blockchains to communicate and transfer value across isolated decentralized networks.

Recently, LayerZero started distributing its native ZRO tokens through an airdrop. Major crypto exchanges like Binance and Upbit have listed ZRO, but the launch was met with mixed reactions. Many participants were disappointed with the airdrop rewards. As of now, ZRO is trading at around $3.5, a 15% drop since its launch.

Blockchain News, Cryptocurrency News, News
Related Articles