Founder/CTO @nomadxyz_ | prev. founder at Storj, Summa | UTXO connoisseur | 🦀 | BETH Core Dev | Non-functional curries | too old to apply to Paradigm
3 subscribers
Jan 30, 2023 • 6 tweets • 3 min read
Think that the LayerZero backdoors were documented? Let's check their docs!
Here's the only mention of auto-upgrade. It does not say that the LayerZero team can use auto-upgrade to backdoor your application
layerzero.gitbook.io/docs/faq/layer…
Here's the documentation on UA configuration. It does not say that an unconfigured UA can be backdoored by the LayerZero team
The current party line is that everyone already knew that LayerZero had a backdoor to applications by default
This is not true. LayerZero consistently said that fraud CAN'T happen without relayer and oracle compromise
If you don't believe me, maybe take their word for it!
They also do not mention VL and PL configuration when talking about application security
Jan 30, 2023 • 7 tweets • 3 min read
Hello, today we are disclosing two critical trusted-party vulnerabilities in the LayerZero smart contracts. These issues allow the LayerZero team to completely bypass the Oracle and Relayer for most applications (including stargate).
prestwich.substack.com/p/zero-validat…
A trusted-party vulnerability (also called a "backdoor") is an undisclosed capability of a trusted party, that can compromise the function of the system. We discuss two of these in the LayerZero contracts.
stop saying "settlement layer" it makes you sound dumb
thread supplements a talk I gave in Lisbon at @NEARProtocol's NearCon, after a conversation w/ @ilblackdragon and others in telegram