LayerZero default security setting flaw leaves $178M in assets exposed

A security vulnerability in the default code LayerZero uses to validate cross-chain messages has reportedly exposed over $3 billion in Omnichain Fungible Tokens (OFTs) to potential theft. According to the X account Fishy Catfish, the code could be instantly replaced by developer LayerZero Labs without any time delay, creating a structure that could be exploited to forge messages. The issue sparked a heated debate between LayerZero CEO Bryan Pellegrino and security researchers in the ETHSecurity community's Telegram channel. Banteg, a researcher with 220,000 followers, noted that major projects like Ethena and EtherFi were using this default setting until a few weeks ago and that $178 million in assets remain exposed. Fishy Catfish added that on-chain data suggests operational multi-signature keys were used for routine activities like memecoin trading, raising questions about the project's overall security management, particularly given its history of being targeted by North Korean hackers.