LayerZero, a protocol which enables messaging across blockchains and is used by applications entrusted with hundreds of millions of dollars, drew scrutiny on Jan. 5 for a purported security flaw.
A post by Krzysztof Urbański of L2BEAT, an analytics and research website which focuses on Layer 2s and bridges, showed how a cross-chain application deployed on LayerZero could relatively easily be reconfigured to steal users’ assets. The configuration happens when two components, called the Oracle and the Relayer, are controlled by the same party.
LayerZero’s cross-chain technology is used by some of DeFi’s biggest protocols, including decentralized exchanges like SushiSwap and PancakeSwap, as well as blockchains like the much-hyped Aptos.
Urbański disagrees with LayerZero’s whitepaper, which indicates that the protocol’s design ensures that the Relayer cannot collude with the Oracle.
“[The paper’s authors] even directly state that in order for their mechanics to work, it’s required that Oracle and Relayer are independent and do not collude,” Urbański told The Defiant. “But it’s up to app developers to choose who is serving as Oracle and Relayer, so they are free to set it up in a way that they are actually dependent and that they do collude.”
The report raised eyebrows because LayerZero calls itself a “trustless” protocol in its whitepaper. Trustlessness is a core tenet of crypto protocols, which strive to develop mechanisms, whether economic or technical, which eliminate the need for human intervention.
Further, projects which use LayerZero often move assets across blockchains and these types of cross-chain applications, called bridges, were one of the most vulnerable sub-sectors of crypto in 2022, with over $1B lost to exploits.
The team at LayerZero Labs, the company behind the LayerZero protocol, doesn’t believe that Urbański was exposing anything that wasn’t already public information.
“The LayerZero protocol is just that, a protocol,” Ryan Zarick, co-founder and CTO at LayerZero Labs, told The Defiant. “You can build good and bad things on top of it. Just like you can build good and bad things on the internet and blockchains.”
LayerZero can be used for a broad range of use cases — SushiSwap uses the protocol to facilitate trades across blockchains. A cross-chain yield aggregator called Unison is in development. And a project called Gh0stly Gh0sts launched with NFTs which could cross blockchains from the get-go using LayerZero in April.
Unlocking safer inter-blockchain transactions would be a significant boon to the crypto industry, which suffers from the inefficiencies of assets and information siloed on single blockchains.
LayerZero is one of the highest-profile projects to facilitate inter-blockchain connectivity — LayerZero Labs has raised $213M in funding, according to Crunchbase.
In this context, Urbański’s post is an important caveat for anyone under the impression that apps built on LayerZero are completely secure — there’s still room for error.
LayerZero Labs’ Zarick sees an ulterior motive behind the report.
“L2BEATs main issue is that they cannot easily universally monitor all LayerZero-enabled applications by looking at a single set of contracts,” he told The Defiant.
“As cross-chain applications become more complex, L2Beat is required to write customized and complicated monitoring tools to properly monitor the security of these applications,” Zarick continued. “It is far easier to mark all LayerZero-enabled applications as insecure and discredit them than spend the time to do the actual work in evaluating each app.”
Urbański told The Defiant that he didn’t intend to single out any protocol. “We don’t want this discussion to focus just on LayerZero, we used it as an example, but the main goal is to actually highlight the security issues and spark the discussion.”
Moving forward, Bryan Pellegrino, the CEO of LayerZero Labs, and Urbański have agreed to debate the matter further on a Twitter Space. “The ideal outcome for us is that we come out with some conclusions that will make both LayerZero and the whole ecosystem safer,” Urbański said.