A claim has been made that a security vulnerability was found in the default code LayerZero uses to verify cross-chain messages, exposing over $3 billion worth of Omnichain Fungible Tokens (OFTs) to theft risk. According to the X (formerly Twitter) account Fishy Catfish, the code had a structure that allowed LayerZero Labs, the developer, to replace it immediately without any separate delay mechanism, making it exploitable for message forgery. The controversy began with a heated debate between LayerZero CEO Bryan Pellegrino and security researchers in the ETHSecurity community Telegram, and Banteg, who has 220,000 followers, pointed out, "Major projects like Ethena and EtherFi were also using this default setting until a few weeks ago, and assets worth $178 million are still exposed." Fishy Catfish added, "Given its past history of attacks by North Korean hackers, the fact that operational multi-signature keys were used for daily activities such as memecoin trading was observed in on-chain data, raising questions about overall security management."
