Bryan Pellegrino, CEO of LayerZero, a cross-chain interoperability protocol, has disclosed a critical vulnerability in the Across Protocol’s token contract.
LayerZero CEO Reveals Critical Vulnerability in Across Protocol's Token Contract
Pellegrino disclosed the vulnerability via social media, warning that it could allow malicious actions including token destruction and balance manipulation across user wallets.
The issue arises from a function that was intended to be private but was inadvertently made public in the contract.
According to Pellegrino, the flawed functionality stems from OpenZeppelin’s ERC20 token implementation and allows the contract owner to destroy tokens or empty wallets, reducing the balance of any account to zero.
Unlimited Token Minting Flaw Discovered in Across and UMA Protocols
In addition to the aforementioned kill vulnerability, Pellegrino has also identified a separate flaw in both the Across and UMA Protocol contracts that could allow for unlimited token minting.
This could have devastating consequences for the protocols’ token economies, potentially leading to serious market manipulation or loss of trust.
Pellegrino expressed concern that despite the seriousness of the discovery, neither project responded after being notified.
To reduce risks without having to reprint tokens, Pellegrino suggested transferring ownership of the vulnerable token contract to a new smart contract.
This new contract will ensure security by eliminating overprinting and token destruction features. Pellegrino emphasized that the new contract should be immutable and ownership transfer limited to ensure long-term protection.
*This is not investment advice.
