{"id":546046,"date":"2023-01-31T22:00:00","date_gmt":"2023-01-31T19:00:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/layerzero-bridging-protocol-denies-accusation-of-critical-vulnerabilities\/"},"modified":"2023-01-31T22:00:00","modified_gmt":"2023-01-31T19:00:00","slug":"layerzero-bridging-protocol-denies-accusation-of-critical-vulnerabilities","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/layerzero-bridging-protocol-denies-accusation-of-critical-vulnerabilities\/","title":{"rendered":"# LayerZero bridging protocol denies accusation of &#8216;critical vulnerabilities&#8217;"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2d0f83aae60\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2d0f83aae60\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/layerzero-bridging-protocol-denies-accusation-of-critical-vulnerabilities\/#%E2%80%9D_LayerZero_bridging_protocol_denies_accusation_of_%E2%80%98critical_vulnerabilities_%E2%80%9C\" >&#8221; LayerZero bridging protocol denies accusation of &#8216;critical vulnerabilities&#8217; &#8220;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9D_LayerZero_bridging_protocol_denies_accusation_of_%E2%80%98critical_vulnerabilities_%E2%80%9C\"><\/span>&#8221; LayerZero bridging protocol denies accusation of &#8216;critical vulnerabilities&#8217; &#8220;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p><img decoding=\"async\" src=\"https:\/\/images.cointelegraph.com\/images\/840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjMtMDEvNzMwMDU3YTctOWUxNy00NTU4LTkzYjItZmIyZjRmZDBiMDczLmpwZw==.jpg\" \/><\/p>\n<div class=\"post-content\" data-v-5a4050f8>Summa founder James Prestwich has <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/_prestwich\/status\/1620097168114876419\">accused<\/a> the $382 million LayerZero bridging protocol of hosting a \u201ccritical vulnerability.\u201d\u00a0<\/p>\n<p>According to a Jan. 30 <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/_prestwich\/status\/1620097168114876419\">post<\/a> by Prestwich, this vulnerability \u201ccould result in theft of all user funds.\u201d LayerZero CEO Bryan Pellegrino has called Prestwich\u2019s accusation \u201cabsolutely shocking\u201d and \u201cwildly dishonest,\u201d claiming that the vulnerability only <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lies to applications that don\u2019t modify the default configuration.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Absolutely shocking that a competitor would put out a wildly dishonest post about us. Happy to have <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/zellic_io?ref_src=twsrc%5Etfw\">@zellic_io<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/osec_io?ref_src=twsrc%5Etfw\">@osec_io<\/a> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/zokyo_io?ref_src=twsrc%5Etfw\">@ZOKYO_io<\/a> or any other of the auditing firms come comment and dispel but let me summarize. <\/p>\n<p>If you set up your own config, absolutely none of this is true <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/t.co\/zXdqkqO4rZ\">https:\/\/t.co\/zXdqkqO4rZ<\/a><\/p>\n<p>\u2014 Bryan Pellegrino (@PrimordialAA) <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/twitter.com\/PrimordialAA\/status\/1620095663680929792?ref_src=twsrc%5Etfw\">January 30, 2023<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>LayerZero is a protocol used to create cross-chain blockchain bridges. Its most notable application is the Stargate Bridge, which can be used to move coins between several different blockchain networks, including Ethereum, BNB Chain (BNB), Avalanche (AVAX), Polygon (MATIC) and others. Stargate <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/defillama.com\/protocol\/stargate\">has<\/a> $382 million of total value locked (TVL) in its smart contracts as of Jan. 30, according to DeFi Llama.<\/p>\n<p>According to its whitepaper, the LayerZero protocol <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/layerzero.network\/pdf\/LayerZero_Whitepaper_Release.pdf\">provides<\/a> a trustless way of moving cryptocurrencies from one network to another. It does this by using an Oracle and Relayer to verify that coins are locked on one chain before allowing a coin to be minted on a different chain. As long as the Oracle and Relayer are independent and do not collude with each other, it should be impossible for coins to be minted on the destination chain without first being locked on the originating chain.<\/p>\n<p>However, Prestwich <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/prestwich.substack.com\/p\/zero-validation\">claimed<\/a> in a Jan. 30 blog post that Stargate and other bridges that use the \u201cdefault configuration\u201d for LayerZero suffer from a critical vulnerability. He claimed this vulnerability allows the LayerZero team to remotely change \u201cthe default Receiving library\u201d or to \u201carbitrarily modify message payloads,\u201d which can enable the team to bypass the Oracle and Relayer to transmit any message they want across the bridge. This implies that when LayerZero is used with its default configuration, it relies upon trust in the LayerZero team rather than in a decentralized protocol for its security.<\/p>\n<p>Prestwich further claimed that Stargate suffers from this vulnerability since it uses the default configuration. To mitigate against this vulnerability, Prestwich advises app developers who use LayerZero to alter their smart contracts to change the configuration. However, he says that most LayerZero apps still use the default configuration, putting them at risk.<\/p>\n<p><em><strong>Related: <\/strong><strong>Cross-chain interoperability remains a barrier to crypto mass adoption<\/strong><\/em><\/p>\n<p>LayerZero CEO Bryan Pellegrino vigorously denied Prestwich\u2019s claims, calling them \u201cwildly dishonest\u201d in a Jan. 30 tweet.\u00a0<\/p>\n<p>In a conversation with Cointelegraph on Jan. 31, Pellegrino stated that all validation libraries \u201care immutable forever, period.\u201d The team can add new libraries but \u201ccan never change, remove, or do anything to\u201d the ones that already exist. While the team can add new libraries to the registry, if an app has already chosen a particular library or set of libraries to be used, this cannot be changed by the LayerZero team.<\/p>\n<p>Pellegrino admitted that the library an app \u201cpoints to\u201d can be changed by the LayerZero team if the app developer is using the defaults, but not if it has already moved away from the default configuration.<\/p>\n<p>As for Prestwich\u2019s claim that Stargate is at risk, Pellegrino responded by saying that the StargateDAO voted on Jan. 3 to change its library from the default to a specific one that is more gas-efficient. He expects this library change to be implemented \u201cthis week (likely today).\u201d Once this update is made, \u201cthat will never be able to change on them unless Stargate votes and changes it themselves.\u201d<\/p>\n<p>Cross-chain bridge security has been a hot topic in the crypto community over the past few years, as millions of dollars have been lost through bridge hacks. In May, 2022, the Axie Infinity Ronin Bridge was exploited for $600 million\u00a0by an attacker who stole keys to the developers\u2019 multi-sig wallet and used it to mint coins without any backing. A similar attack occurred against the Harmony Horizon Bridge on June 24, 2022. Over $100 million was lost in the Horizon attack. The Harmony team has since relaunched the bridge using the LayerZero protocol.<\/p>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/layerzero-bridging-protocol-denies-accusation-of-critical-vulnerabilities\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8221; LayerZero bridging protocol denies accusation of &#8216;critical vulnerabilities&#8217; &#8220; Summa founder James Prestwich has accused the $382 million LayerZero bridging protocol of hosting a \u201ccritical vulnerability.\u201d\u00a0 According to a Jan. 30 post by Prestwich, this vulnerability \u201ccould result in theft of all user funds.\u201d LayerZero CEO Bryan Pellegrino has called Prestwich\u2019s accusation \u201cabsolutely shocking\u201d&#8230;<\/p>\n","protected":false},"author":1,"featured_media":546047,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/s3.cointelegraph.com\/uploads\/2023-01\/730057a7-9e17-4558-93b2-fb2f4fd0b073.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74983,74868,70375,70944,72287],"class_list":["post-546046","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-decentralization","tag-defi","tag-cybersecurity","tag-hackers","tag-security"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/546046","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=546046"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/546046\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/546047"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=546046"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=546046"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=546046"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}