0:00
0:00
Subscribe to Bankless or sign in
Heated debate erupted yesterday in the "ETH Security Community" Telegram channel between LayerZero's Bryan Pellegrino and leading community security researchers.
What's the Scoop?
- Immense Risk: Security researchers revealed that more than $3B in
LayerZero OFTs were (until recently) dependent on a default library contract, which LayerZero Labs could upgrade instantly with no timelock, theoretically allowing forged cross-chain messages. This mirrors the same vulnerable setup that was recently exploited in the 
KelpDAO hack. According to 
Yearn contributor banteg, major protocols including 
Ethena and EtherFi were still relying on this default library configuration as recently as a few weeks ago, despite the clear risks associated with centralized upgrade control. - Poor Security Practices: The researchers questioned the security practices utilized by LayerZero's multisig wallet signers, with James Prestwich noting that signing keys were used to trade "McPepes" (PEPES) memecoins and conduct other personal transactions, indicating that the keys were associated with the day-to-day address of internal LayerZero contributors. LayerZero's Pellegrino responded that such signers have been removed from the multisig, and claimed any memecoin trading was in relation to official team tests (a defense which was refuted by Prestwich).
- Continued Exposure: Although many teams have migrated away from LayerZero's default security standards in the aftermath of the KelpDAO exploit, researchers claim that $178.5M remains exposed today from projects that continue to use the default library setup instead of migrating to immutable or independently governed configurations.
Heeaaaaaaaaated debate broke out in the ETHSecurity Community Telegram earlier today between LayerZero’s Bryan and security researchers.
— Fishy Catfish (@CatfishFishy) May 8, 2026
TLDR summary:
- $3 billion+ of LZ OFTs were recently at risk of being compromised due to a default library contract that LZ Labs could…
