- Security researcher Banteg sparked controversy when he analyzed LayerZero’s multisig implementation that exposed billions of OFT (Omnichain Fungible Token) assets to be compromised.
- His research also showed that the default implementation of LayerZero creates serious security risks for many connected projects.
- The controversy pushed several protocols to improve security or move to more secure methods such as Chainlink CCIP.
A heated debate broke out in the Telegram Group of the ETHSecurity Community between Bryan Pellegrino of LayerZero (co-founder and CEO of LayerZero) and security researchers. The to argue was close to a permanent library agreement that LayerZero Labs could raise without a timeout, putting more than $3 billion in LayerZero Omnichain Fungible Tokens (LZ OFTs) at risk similar to the recent rsETH hack.
The Spark: An Immutable Library Revealed
The security researcher also highlighted the fact that the LayerZero library collaboration allowed the team to make changes quickly without delays such as blocking time. With this implementation, members of the group can create a communication message that can mimic rETH where the attackers have spent money by making fake authentication.
Projects like Athena and EtherFi were using this default library a few weeks ago, according to researcher Banteg. Even now, onchain data shows $178 million in value from various projects remains at risk if LayerZero Labs’ control is abused.
Developer Yearn Banteg expanded the whole thing after warning that many protocols still relied on the LayerZero 3-of-5 multisig implementation. He added that projects that rely on a default host library without robust security are putting themselves at unnecessary risk, as any disruption to LayerZero’s multisig could allow attackers to dump connected adapters immediately.
Following the use of Kelp, Banteg says that the adapters at risk initially represented about $3.13 billion in exposure, although that figure dropped significantly after some projects froze their configurations.
Despite these improvements, he emphasized that many protocols remain insecure. By publishing specific technical advice on the security of this integration, Banteg shifted the debate from theory to potential risk, raising concerns about LayerZero’s central dependency.
LayerZero doesn’t need to be malicious for a vulnerability to arise, any disruption to their system can lead to an attack on all of their dependent products. This reflects previous research with similar risks in LayerZero’s Endpoint and UltraLightNode contracts.
Multisig Signers Caught in a Very Dangerous Deal
Onchain evidence shows that LayerZero’s Labs multisig signers, designed to protect billions of dollars, were used for malicious personal attacks. This included the sale of memecoin McPepes (PEPES) on Uniswap, DEX swaps, and bridging assets, revealing the keys to the fraud site.
Zach Rynes, the man behind Chainlink, called it on X (formerly known as Twitter). He cited a complete failure of basic opsec and privacy isolation, which raised fears about the supply chain.
LayerZero’s Bryan said he was testing “PEPE’s OFT integration,” but critics said PEPE wasn’t deployed at all, and McPepes is a different brand. The poor performance of these key manufacturers explains their vulnerability to North Korea before, indeed The Lazarus Group he followed them through the erratic RCPs.
LayerZero’s Profile of Security Issues
LayerZero Labs has faced repeated scrutiny for opsec vulnerabilities. North Korean hackers were able to infiltrate their devices, and destroy the RPC data in KelpDAO rsETH that stole $290-292 million, which LayerZero criticized the establishment of one DVN for Kelp.
Previous reports like ZeroValidation detailing the details of signatures allowing unsigned messages without proper signatures, the migration theory cites these as signs of a central threat that spreads to users’ funds.
The rsETH hack showed how weak configurations increase risk, with LayerZero disabling the signatures of post-authentication programs. Critics say defaulting pushes users into dangerous paths without clear warnings.
Bryan vs Investigators: Clash in the Telegraph
In an ETHSecurity Telegraph debate, Bryan defended LayerZero, but researchers pushed back on the library’s risks and misuse of multisigs. They emphasized that the production keys linked to DEXs and memecoin trading screamed phishing bait, specifically a violation of North Korean law. Bryan declined further comment, but the group highlighted the $3B+ OFT exposure.
Influencer Backlash and Project Shifts
Another crypto supporter Ed wrote on X and said that the defenders of the protocol ignored the main issue, its central infrastructure was being compromised.
KelpDAO, after a joint operation with LayerZero on April 18, announced the migration of rsETH to Chainlink CCIP due to concerns about infrastructure security and unanswered environmental questions.
The Solv Protocol has now followed with major changes. The plan is moving more than $700 million of SolvBTC and xSolvBTC assets away from LayerZero bridges after a security review.
Together, these backward migrations reflect a growing industry shift, as major protocols prioritize stronger security guarantees, faster management and cross-platform architecture.
This move shows a strong interest in secure communication methods, Chainlink is getting about $1 billion in revenue. Industry voices like Yearn’s Banteg and Zach Rynes also supported the concerns surrounding LayerZero, pushing for stronger security measures.
More on Cross-Chain security
LayerZero’s OFT (Omnichain Fungible Token) standard powers billions of dollars in integrated token transfers using a coin-burning mechanism, where tokens are burned on one chain and regenerated on another chain. Although this model has supported many projects across blockchains, its security implementation has raised concerns.
In general, security relies heavily on LayerZero Labs’ multisig, meaning that a small group of key holders can control performance. If these keys are exposed or internal systems are compromised, users’ funds and the security of the protocol may be at risk.
Security experts have pointed out that some of LayerZero’s libraries do not have robust security or default security, which undermines confidence in its bridge design.
As a result, several projects are now rethinking their reliance on LayerZero and moving to alternatives such as Chainlink CCIP, which are seen as more secure.
This change shows a big lesson for the crypto industry: strong code alone is not enough. Protocols also require effective security, including time-locking, remote key management, and multiple independent authentication methods.
For users, the real threat is often not just from smart bugs, but from third parties and insecure security systems behind the scenes.
Also Read: $770M in Crypto Spends Fuels Concerns About AI-Powered DeFi Risks
