By
Mayowa Adebajo
June 27th, 2024
In response to 0x52, Pellegrino countered by saying that the ability to configure payload limits is a deliberate design choice.
In a series of heated exchanges on X (formerly Twitter), LayerZero Labs’ co-founder and CEO Bryan Pellegrino dismissed claims of a critical vulnerability in the LayerZero protocol as “entirely baseless”.
The controversy began when pseudonymous blockchain security researcher 0x52 disclosed what he claimed to be a critical flaw in LayerZero’s messaging protocol. Since then, 0x52 has deleted his original tweet and apologized for the false alarm.
I have deleted my prior posts. I should have further validated all aspects before posting.
Apologies to @LayerZero_Labs. Many thanks to @PrimordialAA for doing what I failed to do and for correcting my mistake.
— 0x52 (@IAm0x52) July 1, 2024
Details of the Alleged Vulnerability
0x52’s revelations stemmed from his audit of the UXDProtocol under the SherlockDefi audit program. He claimed that LayerZero’s endpoint contract, which handles messages between protocols, didn’t limit the size of messages or destination addresses.
He warned that a hacker could send a message with a very large destination address, causing errors and potentially stopping communication between different blockchain networks. This could lead to significant financial losses for affected protocols.
According to 0x52, this vulnerability could affect many protocols using LayerZero, especially those involving both EVM (Ethereum Virtual Machine) chains and non-EVM chains like Solana, which use different address sizes.
LayerZero CEO’s Response and Design Philosophy
In response to 0x52, Pellegrino countered by saying that the ability to configure payload limits is a deliberate design choice. He explained that enforcing a fixed limit could allow censorship, which goes against LayerZero’s goal of creating a censorship-resistant system.
Not only is this not a bug, this is by design in the protocol
Any messaging protocol that enshrines this configuration can now censor any application. You cannot have one without the other. We believe in censorship-resistant technology rails.
— Bryan Pellegrino (臭企鹅) (@PrimordialAA) July 1, 2024
Pellegrino further clarified that the code referenced by 0x52 dates back to 2022 and pertains to application configuration, not the core protocol. He stated that the payload size limit is part of the app’s security settings and can be adjusted by the app itself. Pellegrino noted that if an app couldn’t override this configuration, LayerZero could potentially block application messaging by setting the payload limit to zero, which would contradict the protocol’s design principles.
Pellegrino encouraged skeptics to fork and test the system themselves, insisting that the issue could only occur if an application specifically opted to configure it that way, similar to how an individual application on Ethereum might have bad contract configurations.
As LayerZero continues to develop, this discussion highlights the need for constant scrutiny of their security protocols.
ZRO Token Launch Faces Mixed Reactions
LayerZero Labs remains confident in the strength and reliability of its cross-chain interoperability technology, which allows smart contracts on different blockchains to communicate and transfer value across isolated decentralized networks.
Recently, LayerZero started distributing its native ZRO tokens through an airdrop. Major crypto exchanges like Binance and Upbit have listed ZRO, but the launch was met with mixed reactions. Many participants were disappointed with the airdrop rewards. As of now, ZRO is trading at around $3.5, a 15% drop since its launch.