Summa founder James Prestwich has accused the $382 million LayerZero bridging protocol of hosting a “critical vulnerability.”
According to a Jan. 30 post by Prestwich, this vulnerability “could result in theft of all user funds.” LayerZero CEO Bryan Pellegrino has called Prestwich’s accusation “absolutely shocking” and “wildly dishonest,” claiming that the vulnerability only applies to applications that don’t modify the default configuration.
Absolutely shocking that a competitor would put out a wildly dishonest post about us. Happy to have @zellic_io @osec_io @ZOKYO_io or any other of the auditing firms come comment and dispel but let me summarize.
If you set up your own config, absolutely none of this is true https://t.co/zXdqkqO4rZ
— Bryan Pellegrino (@PrimordialAA) January 30, 2023
LayerZero is a protocol used to create cross-chain blockchain bridges. Its most notable application is the Stargate Bridge, which can be used to move coins between several different blockchain networks, including Ethereum, BNB Chain (BNB), Avalanche (AVAX), Polygon (MATIC) and others. Stargate has $382 million of total value locked (TVL) in its smart contracts as of Jan. 30, according to DeFi Llama.
According to its whitepaper, the LayerZero protocol provides a trustless way of moving cryptocurrencies from one network to another. It does this by using an Oracle and Relayer to verify that coins are locked on one chain before allowing a coin to be minted on a different chain. As long as the Oracle and Relayer are independent and do not collude with each other, it should be impossible for coins to be minted on the destination chain without first being locked on the originating chain.
However, Prestwich claimed in a Jan. 30 blog post that Stargate and other bridges that use the “default configuration” for LayerZero suffer from a critical vulnerability. He claimed this vulnerability allows the LayerZero team to remotely change “the default Receiving library” or to “arbitrarily modify message payloads,” which can enable the team to bypass the Oracle and Relayer to transmit any message they want across the bridge. This implies that when LayerZero is used with its default configuration, it relies upon trust in the LayerZero team rather than in a decentralized protocol for its security.
Prestwich further claimed that Stargate suffers from this vulnerability since it uses the default configuration. To mitigate against this vulnerability, Prestwich…
Click Here to Read the Full Original Article at Cointelegraph.com News…
