# LayerZero Discourse Erupts in 'ETHSecurity Community' Telegram Channel

*Author: Jack Inabinet*
*Published: May 8, 2026*
*Source: https://www.bankless.com/de/read/news/layerzero-discourse-erupts-in-ethsecurity-community-telegram-channel*

---

Heated debate erupted yesterday in the "ETH Security Community" Telegram channel between LayerZero's Bryan Pellegrino and leading community security researchers.

### What's the Scoop?
- **Immense Risk:** Security researchers revealed that more than $3B in LayerZero OFTs were (until recently) dependent on a default library contract, which LayerZero Labs could upgrade instantly with no timelock, theoretically allowing forged cross-chain messages. This mirrors the same vulnerable setup that was recently [exploited](https://www.bankless.com/podcast/the-280m-defi-exploit-that-changes-crypto-forever) in the KelpDAO hack. According to Yearn contributor [*banteg*](https://x.com/banteg), major protocols including Ethena and EtherFi were still relying on this default library configuration as recently as a few weeks ago, despite the clear risks associated with centralized upgrade control.
- **Poor Security Practices: **The researchers questioned the security practices utilized by LayerZero's multisig wallet signers, with [James Prestwich](https://x.com/_prestwich) noting that signing keys were used to trade "McPepes" (PEPES) memecoins and conduct other personal transactions, indicating that the keys were associated with the day-to-day address of internal LayerZero contributors. LayerZero's Pellegrino [responded](https://x.com/CatfishFishy/status/2052552579725324473?s=20) that such signers have been removed from the multisig, and claimed any memecoin trading was in relation to official team tests (a defense which was [refuted](https://x.com/CatfishFishy/status/2052552607395381544?s=20) by Prestwich).
- **Continued Exposure: **Although many teams have migrated away from LayerZero's default security standards in the aftermath of the KelpDAO exploit, researchers [claim](https://x.com/CatfishFishy/status/2052552601489559958?s=20) that $178.5M remains exposed today from projects that continue to use the default library setup instead of migrating to immutable or independently governed configurations.

> Heeaaaaaaaaated debate broke out in the ETHSecurity Community Telegram earlier today between LayerZero’s Bryan and security researchers.TLDR summary:- $3 billion+ of LZ OFTs were recently at risk of being compromised due to a default library contract that LZ Labs could…— Fishy Catfish (@CatfishFishy) [May 8, 2026](https://twitter.com/CatfishFishy/status/2052552571995169044?ref_src=twsrc%5Etfw)