Bug in Cross-Chain Partner of Uniswap? LayerZero Founder Steps in to Debug, Security Issues Become a Pandora's Box

share
Bug in Cross-Chain Partner of Uniswap? LayerZero Founder Steps in to Debug, Security Issues Become a Pandora

Earlier, we reported that Uniswap launched a built-in cross-chain bridge, powered by the cross-chain protocol Across Protocol. However, Bryan Pellegrino, the founder of the LayerZero full-chain interoperability protocol, recently publicly pointed out on Twitter that Across Protocol has a code vulnerability. Although Hart Lambur, the founder of Across Protocol, responded under the post, the issue remains unresolved.

Across Protocol Leaks Private Function for Destroying Tokens from Open Zeppelin

Bryan Pellegrino stated that due to a vulnerability in Across Protocol, the internal private function used by Open Zeppelin to destroy ERC-20 tokens was leaked. Open Zeppelin's partners include the Ethereum Foundation, Coinbase, Optimism, AAVE, Compound, Polkadot, and Uniswap, making its open-source contract library an industry standard.

Bryan Pellegrino pointed out that this vulnerability allows Across Protocol to freely withdraw tokens from any wallet, zero out tokens from any account at any time, and create the risk of malicious liquidation. He also mentioned that Across Protocol, under the leadership of Hart Lambur, along with the oracle token UMA, can actually mint tokens infinitely, which is interesting as Hart Lambur criticized the issue of infinite token minting just last week.

LayerZero Founder Steps in to Debug: Ownership of Contract Needs to be Transferred to a New Smart Contract

Bryan Pellegrino also provided a solution to this vulnerability, stating, "To fix this issue without reissuing tokens: transfer ownership of the contract to a new smart contract that restricts the total token supply, prohibits excessive minting, and destruction operations. As this is a permanent vulnerability, the new contract must be immutable and should not include any ownership transfer functions."

Across Protocol Community Proposal to Fix Total Supply at One Billion Tokens

In response, Hart Lambur commented under the post that this is dishonest FUD and pointed out that Across Protocol's contract has already been audited by Open Zeppelin. Bryan Pellegrino questioned Hart Lambur's understanding of code and stated that contract audits cannot solve the issue. He challenged Hart Lambur to a high-stakes debugging reward of one million pounds, suggesting that if he turns out to be wrong, he will donate to the community.

However, Hart Lambur still maintains that there are no vulnerabilities in Across Protocol. Nevertheless, in the spirit of decentralization, he initiated a community governance vote to set the total token supply of Across Protocol at 1 billion tokens.

In response to Bryan Pellegrino's persistent inquiries, pointing out that the issue has been resolved, the conversation did not continue further.