BlockBeats News, May 8th - Earlier today, a heated debate broke out between LayerZero co-founder Bryan Pellegrino and security researchers in the ETHSecurity Community Telegram group.

The researchers pointed out a critical flaw in LayerZero's default library contract, which allowed LayerZero Labs to upgrade the contract without a time lock, enabling them to forge cross-chain messages. This was the fundamental reason behind the previous rsETH exploit incident. It was reported that over $30 billion worth of LayerZero Homogeneous Tokens (OFT) were at risk due to this vulnerability.

According to Banteg, as of a few weeks ago, mainstream projects such as Ethena and EtherFi were still using this risky default library contract. Currently, around $178 million worth of assets are still exposed to potential attack risks.

On-chain data revealed that the multi-signers at LayerZero Labs were engaged in non-multi-signer activities, including meme coin transactions, swaps on DEXs, and cross-chain bridge operations. This indicates that the production environment's multi-signer keys were connected to regular websites, significantly increasing the risk of phishing attacks. Critics bluntly stated that LayerZero's private key management level was "like that of a high schooler."

In response, LayerZero co-founder Bryan stated that the relevant signers have been removed, the transactions were for "testing" purposes, and the default configuration is suitable for teams that "do not prioritize security." He emphasized that most major apps have switched, LayerZero is working on enhancing user security, but they have not individually held all apps accountable.