A claim has been raised that a security vulnerability was found in the default code LayerZero uses to verify cross-chain messages, exposing over $3 billion worth of omnichain fungible tokens (OFTs) to the risk of theft. According to the X (formerly Twitter) account Fishy Catfish, the code had a structure that allowed LayerZero Labs, the development company, to replace it immediately without any separate delay mechanism, potentially being exploited for message forgery. The controversy began with a heated debate between LayerZero CEO Bryan Pellegrino and security researchers in the ETHSecurity community Telegram. Banteg, who has 220,000 followers, pointed out, "Major projects like Ethena and EtherFi were also using this default setting until a few weeks ago, and currently, $178 million worth of assets remain exposed." Fishy Catfish added, "Given LayerZero's history of being attacked by North Korean hackers, on-chain data shows evidence of operational multi-signature keys being used for daily activities such as memecoin trading, raising questions about overall security management."
