LayerZero Discourse Erupts in 'ETHSecurity Community' Telegram Channel

Heated debate erupted yesterday in the "ETH Security Community" Telegram channel between LayerZero's Bryan Pellegrino and leading community security researchers.

What's the Scoop?

• Immense Risk: Security researchers revealed that more than $3B in LayerZero OFTs were (until recently) dependent on a default library contract, which LayerZero Labs could upgrade instantly with no timelock, theoretically allowing forged cross-chain messages. This mirrors the same vulnerable setup that was recently exploited in the KelpDAO hack. According to Yearn contributor banteg, major protocols including Ethena and EtherFi were still relying on this default library configuration as recently as a few weeks ago, despite the clear risks associated with centralized upgrade control.
• Poor Security Practices: The researchers questioned the security practices utilized by LayerZero's multisig wallet signers, with James Prestwich noting that signing keys were used to trade "McPepes" (PEPES) memecoins and conduct other personal transactions, indicating that the keys were associated with the day-to-day address of internal LayerZero contributors. LayerZero's Pellegrino responded that such signers have been removed from the multisig, and claimed any memecoin trading was in relation to official team tests (a defense which was refuted by Prestwich).
• Continued Exposure: Although many teams have migrated away from LayerZero's default security standards in the aftermath of the KelpDAO exploit, researchers claim that $178.5M remains exposed today from projects that continue to use the default library setup instead of migrating to immutable or independently governed configurations.