- Security researcher Banteg ignited a debate as he highlighted LayerZero’s default multisig setup which exposed billions in OFT (Omnichain Fungible Token) assets to potential compromise.
- His research also showed that LayerZero’s default setup created major security risks for many connected projects.
- The controversy pushed several protocols to improve security or move to safer alternatives like Chainlink CCIP.
A heated debate broke out in the ETHSecurity Community Telegram Group between LayerZero’s Bryan Pellegrino (co-founder and CEO of LayerZero) and security researchers. The debate was about a default library contract that LayerZero Labs could upgrade without a timelock, putting more than $3 billion in LayerZero Omnichain Fungible Tokens (LZ OFTs) at risk of compromise similar to the recent rsETH hack.
The Spark: Vulnerable Default Library Exposed
Security researcher highlighted the fact that LayerZero’s default library contract allowed the team to make instant upgrades that too without any delay mechanism like a timelock. With this setup, the team members could forge a cross-chain message which could mimic the rsETH exploit where attackers drained funds by faking verifications.
Projects such as Ethena and EtherFi were using this default library just weeks ago, according to researcher Banteg. Even now, onchain data shows $178 million in value from various projects remains exposed to this risk if LayerZero Labs’ control is abused.
Yearn developer Banteg intensified the whole thing after he warned that many protocols were still dangerously dependent on LayerZero’s default 3-of-5 multisig setup. He argued that projects relying on the default receive library without stronger protections were exposing themselves to unnecessary risk, as any compromise of LayerZero’s multisig could allow attackers to drain connected adapters instantly.
Following the Kelp exploit, Banteg estimated that vulnerable adapters initially represented around $3.13 billion in potential exposure, though that figure later dropped significantly after some projects hardened their configurations.
Despite this progress, he stressed that many protocols still remained vulnerable. By publishing exact technical guidance for the security of these integrations, Banteg shifted the debate from theory to actionable risk, reigniting concerns over LayerZero’s centralized dependencies.
LayerZero does not need to act maliciously for danger to arise, any compromise of their systems could lead to a supply chain attack on all dependent projects. This mirrors past audits flagging similar trusted-part risks in LayerZero’s Endpoint and UltraLightNode contracts.
Multisig Signers Caught in High-Risk Activities
Onchain evidence showed that LayerZero’s Labs’ production multisig signers, something that is meant to secure billions, were used for risky personal activities. These included trading the memecoin McPepes (PEPES) on Uniswap, DEX swaps, and bridging assets, exposing keys to phishing sites.
Zach Rynes, a Chainlink community figure, called it out on X (formerly known as Twitter). He labeled it a total failure of basic opsec and key isolation, raising supply chain attack fears.
LayerZero’s Bryan claimed they were testing “PEPE’s OFT integration,” but critics noted that PEPE was not even deployed yet, and McPepes is a different token altogether. This poor handling of production keys explains their prior North Korea hack vulnerability, where Lazarus Group targeted them through compromised RCPs.
LayerZero’s History of Security Issues
LayerZero Labs has faced repeated scrutiny for opsec lapses. North Korea hackers managed to infiltrate their infrastructure, spoofing RPC data in the KelpDAO rsETH exploit that stole $290-292 million, which LayerZero blamed on Kelp’s single DVN setup.
Past reports like ZeroValidation detailed multisig exploits allowing arbitrary messages without any proper sign-off, pojects migrating away cite these as signs of centralized risks spreading to user funds.
The rsETH hack showed how weak configs amplify dangers, with LayerZero halting signatures for singles-verifier apps post-incident. Critics argue defaults push users into risky paths without clear warnings.
Bryan vs Researchers: Clash in Telegram
In the ETHSecurity Telegram debate, Bryan defended LayerZero, but researchers pushed back on the library risks and multisig misuse. They stressed that production keys connected to DEXs and memecoin trades scream phishing bait, especially post-North Korea breach. Bryan dismissed some claims, but the group highlighted $3B+ OFT exposure.
Influencer Backlash and Project Shifts
Another crypto influencer Ed posted on X and argued that the protocol’s defenders overlooked a major issue, its own centralized infrastructure had been compromised.
KelpDAO, after the April 18 LayerZero-linked exploit, announced its migration of rsETH to Chainlink CCIP over concerns about infrastructure security and unanswered ecosystem questions.
Solv protocol has now followed with an even larger transition. The protocol is moving more than $700 million SolvBTC and xSolvBTC ecosystem away from LayerZero bridges after the security review.
Together, these back-to-back migrations highlight a growing industry shift, as major protocols increasingly prioritize stronger security guarantees, proactive monitoring and institutional-grade cross-chain infrastructure.
These migrations suggest growing preference for more secure cross-chain solutions, with Chainlink gaining almost $1 billion in assets. Industry voices like Yearn’s Banteg and Zach Rynes also backed concerns around LayerZero, pushing for stronger security standards.
Broader Implications for Cross-Chain Security
LayerZero’s OFT (Omnichain Fungible Token) standard powers billions of dollars in cross-chain token transfers by using a burn-and-mint system, where tokens are burned on one chain and recreated on another. While this model has helped many projects scale across blockchains, its default security setup has raised serious concerns.
In many cases, protection depends heavily on LayerZero Labs’ multisig infrastructure, meaning a small group of key holders can control critical operations. If these keys are exposed or internal systems are compromised, user funds and protocol security could be at risk.
Security experts have also pointed out that some of LayerZero’s libraries lack stronger upgrade protections or decentralized safeguards, which weakens trust in its modular bridge design.
As a result, several projects are now reconsidering their reliance on LayerZero and moving toward alternatives like Chainlink CCIP, which are increasingly viewed as more secure.
This shift highlights a bigger lesson for the crypto industry: strong code alone is not enough. Protocols also need better operational security, including timelocks, isolated key management, and multiple independent verifiers by default.
For users, the real danger usually comes not just from smart contract bugs, but from centralized infrastructure and poor security practices behind the scenes.
Also Read: $770M in Crypto Exploits Fuels Concerns Over AI-Powered DeFi Threats
Credit: Source link
