James Prestvich, the founder of Summa, reprimanded the use of a $382 million LayerZero bridging mode agreement to escrow a "serious loophole".

According to a Prestwich post on Jan. 30, the vulnerability "could lead to the theft of all user assets." LayerZeroCEO Bobby Pellegrino called Prestvich's complaint "absolutely surprising" and "extremely untrustworthy", claiming that the vulnerability was only aimed at applications that did not change the default configuration.

LayerZero is mainly used to establish cross-chain block chain technical bridge agreement. Its most noteworthy application is Stargate Bridge, which can be used to move coins between several different types of blockchain systems, including ethernet, BNB Chain (BNB), Avax (Avax), Polygon (Majichi), etc. As of January 30th, the blockchain intelligence contract for Stargate contained a total of $382 million in TVL, according to DefiLlama.

According to its industry report, the LayerZero agreement provides an unreliable way to move digital currency from one Internet to another. It checks whether the coin is locked on one chain by using Oracle and wireless repeaters, which can then be forged on another chain to achieve this. As long as Oracle and the wireless relay layer are separate and do not collude, it should be unlikely to forge coins on the overall target chain without being locked on the originating chain first.

However, Prestwich claimed in his online article that there is a serious vulnerability in the "default" bridge of Stargate and other apps LayerZero. He said the vulnerability allowed the LayerZero team to remotely control changes to the "default acceptance library" or "arbitrarily change the information payload", which allowed the team to bypass the Oracle and wireless relay layers and transmit all the information they wanted based on the bridge. This means that when LayerZero is used with rather than default equipment, it relies on approval of the LayerZero team, rather than on piecemeal agreements to achieve its security.

Prestwich further claims that Stargate has this vulnerability because he uses the default device. To mitigate this vulnerability, Prestwich had better use LayerZero's application development staff to change his smart contract to change the equipment. However, he points out that most LayerZero applications are still equipped by default, which puts them at risk.

Related to:Cross-chain interoperability is still an obstacle to the large-scale selection of login passwords

LayerZeroCEO Bobby Pellegrino tried to deny Prestvich's claim, calling it "grossly untrustworthy" in a tweet on January 30th.

In a conversation with Cointelegraph on January 31st, Pellegrino stated that every authentication library "is always immutable, that's all." The team can add a new library, but "can never change, delete, or do anything with an existing library." Although the team can import a new library into the registry file, the LayerZero team cannot change this if the application has already selected a special library or library combination to be used.

Pellegrino agrees that if APP developers apply the default settings and the LayerZero team can change the application's "biased" libraries, it cannot be changed if the application is already out of the default.

In response to Prestwich's claim that Stargate was at risk, Pellegrino responded that StargateDAO voted on January 3 to change its library from the default to a more fuel-efficient special library. He estimates that changes to the library will be implemented "this week (most likely at this moment)". Once this upgrade takes place, "this will never change unless the Stargate network votes and changes it."

In the past few years, cross-link bridge security has been a hot topic in the cryptographic world, as bridge network hackers have lost millions of dollars. In May this year, Axie endless Luoning Bridge was used by a cyber attack for $600m, which stole the keys of real estate developers' multi-signed wallets and used it to forge coins if not applicable. On June 24, there was a similar attack on the Harmony Dawn overpass, which resulted in the theft of a $100 million login password. The Harmony team then restarted the bridge using the LayerZero protocol.