Zach Rynes | CLG
Zach Rynes | CLG|5月 08, 2026 18:51
🚨 @MessariCrypto just put out a vulnerability alert for @LayerZero_Core classified both high urgency and high impact under the "Security and Hacks" category TL;DR: - Independent security researchers flagged a structural vulnerability in LayerZero's default receive library configuration - OApps that haven’t explicitly pinned their receive library fall back to the default set by the LayerZero Labs multisig, which can forge messages to any such OApp - @LayerZero_Labs CEO Bryan Pellegrino confirmed: “Labs could create a malicious library or could point to itself as the only DVN” - @banteg simulated the exploit path: ~$3.13B in adapter value was exposed after the Kelp bridge incident. ~$175M still sits unpinned today - This is a recurrence of vulnerabilities @_prestwich disclosed in January 2023. LayerZero Labs CTO's public denial at the time was called false in the original disclosure report - 3 of the 5 prior LayerZero Labs multisig signing keys were engaging in active DeFi txs (memecoin trading, DEX swaps, Stargate staking) while the signing threshold was only 2-of-5 - Pellegrino said one of the multisig signers was just “testing PEPE’s OFT integration” but onchain data contradicts this claim as the address was actually buying "McPepes" on Uniswap with ETH -- Trading memecoins on production multisig keys ... An absolute failure of even the most basic opsec and key isolation best practices We as an industry must do better than this(Zach Rynes | CLG)
Share To

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads