- Security researcher Banteg sparked controversy when he highlighted LayerZero’s virtual multi-signature setup that exposed billions in OFT (Omnichain Fungible Token) assets for potential settlement.
- His research also showed that the default setting of LayerZero created significant security risks for many connected projects.
- The controversy has prompted many protocols to improve security or move to more secure alternatives such as Chainlink CCIP.
A heated discussion broke out in the Telegram Community group ETHSecurity between LayerZero’s Brian Pellegrino (co-founder and CEO of LayerZero) and security researchers. the debate It was a virtual library contract that LayerZero Labs could upgrade without a time lock, putting more than $3 billion in LayerZero Omnichain Fungible Tokens (LZ OFTs) at risk of compromise similar to the recent rsETH hack.
Spark: Detection of vulnerable virtual library
The security researcher highlighted the fact that LayerZero’s virtual library contract allowed the team to perform instant upgrades as well without any delay mechanism like time locking. Using this setup, team members can craft an on-chain message that can mimic an rsETH exploit where attackers drain funds by forging verifications.
Projects like Ethena and EtherFi have been using this virtual library for only weeks, according to researcher Banteg. So far, onchain data shows that $178 million worth of various projects remain at risk if LayerZero Labs’ control is abused.
Developer Yearn Banteg has ramped up the whole thing after warning that many protocols still depend dangerously on the default LayerZero 3 of 5 multisig setting. Projects that rely on the default receiving library without stronger protection expose themselves to unnecessary risks, he said, as any compromise to LayerZero’s multisig could allow attackers to instantly drain connected switches.
After the Kelp exploit, Banteg estimated that vulnerable switches initially accounted for about $3.13 billion in potential exposure, though that number later dropped significantly after some projects hardened their configurations.
Despite this progress, he stressed that many protocols remain vulnerable. By publishing careful technical guidance for the security of these integrations, Bantage shifted the discussion from theory to actionable risks, once again raising concerns about LayerZero’s central dependencies.
LayerZero does not need to act maliciously for a risk to arise, and any breach of its systems could lead to a supply chain attack on all affiliated projects. This reflects previous audits indicating similar risks to the trusted portions of LayerZero’s Endpoint and UltraLightNode contracts.
Multisig signatories engaged in high-risk activities
Onchain evidence showed that LayerZero Labs’ multi-production signatures, something aimed at securing billions, were used for risky personal activities. This included trading Memecoin McPepes (PEPES) on Uniswap, DEX swaps, bridging assets, and exposing keys to phishing sites.
Chainlink community figure Zach Raines said this on X (formerly known as Twitter). This was described as a complete failure in basic operations and key isolation, raising fears of an attack on the supply chain.
Bryan from LayerZero claimed that they were testing “PEPE’s OFT integration,” but critics pointed out that PEPE has not yet been deployed, and McPepes is a completely different token. This poor handling of production keys explains the previous North Korean hacking vulnerability, where… Lazarus Group I targeted them through compromised RCPs.
History of LayerZero’s security issues
LayerZero Labs has faced repeated scrutiny for operational lapses. North Korean hackers were able to compromise their infrastructure, spoofing RPC data in a KelpDAO rsETH exploit that stole between $290 and $292 million, which… LayerZero was blamed for Kelp’s single DVN setup.
Previous reports like ZeroValidation detail multisig exploits that allow spam messages without any proper logout, and projects migrating away point to these as signs of centralized risk spreading to users’ funds.
The rsETH hack showed how weak configurations amplify risks, with LayerZero halting signatures for single-verification applications after the incident. Critics say the default settings push users down risky paths without clear warnings.
Brian vs. The Searchers: Conflict on Telegram
In the ETHSecurity Telegram debate, Brian defended LayerZero, but researchers pushed back on the dangers of the library and multisig abuse. They stressed that production keys linked to DEXs and memecoin transactions spew phishing bait, especially after the North Korean hack. Brian rejected some of the allegations, but the group highlighted OFT’s $3 billion exposure.
Influencer backlash and project shifts
Another influencer in the crypto space Ed posted on X He argued that the protocol’s defenders had ignored a key issue: that its central infrastructure had been compromised.
KelpDAO, following the LayerZero-related exploit on April 18, announced the migration of rsETH to Chainlink CCIP due to concerns about infrastructure security and unanswered ecosystem questions.
The Solv protocol has now followed a larger transition. The protocol is moving more than $700 million from the SolvBTC and xSolvBTC ecosystem away from LayerZero bridges after a security review.
Together, these migrations highlight a growing shift in the industry, as major protocols increasingly prioritize stronger security guarantees, proactive monitoring and enterprise-level cross-chain infrastructure.
These migrations indicate a growing preference for more secure cross-chain solutions, with Chainlink gaining nearly $1 billion in assets. Industry voices such as Yearn’s Banteg and Zach Rynes have also supported concerns about LayerZero, and pushed for stronger security standards.
Broader implications for cross-chain security
LayerZero’s OFT (Omnichain Fungible Token) standard powers billions of dollars of cross-chain token transfers using a burn-and-mint system, where tokens are burned on one chain and recreated on another. While this model has helped many projects scale across blockchains, its default security setup has raised serious concerns.
In many cases, security relies heavily on LayerZero Labs’ multi-signature infrastructure, which means that a small group of keyholders can control critical operations. If these keys are exposed or internal systems are compromised, user funds and the security of the protocol could be compromised.
Security experts have also pointed out that some LayerZero libraries lack stronger upgrade protection or decentralization guarantees, weakening confidence in their modular bridge design.
As a result, many projects are now reconsidering their reliance on LayerZero and moving towards alternatives such as Chainlink CCIP, which are increasingly viewed as more secure.
This shift highlights a larger lesson for the cryptocurrency industry: strong code alone is not enough. Protocols also need better operational security, including time locks, isolated key management, and multiple independent verifiers by default.
For users, the real risk usually comes not only from smart contract errors, but from centralized infrastructure and poor security practices behind the scenes.
Read also: $770 Million in Cryptocurrency Exploits Raises Concerns About AI-Powered DeFi Threats
