LayerZero Clarifies: Alleged Bug is a Design Feature

posted  1 Jul 2024
Photo - LayerZero Clarifies: Alleged Bug is a Design Feature
Bryan Pellegrino, CEO of LayerZero, has dismissed claims by anonymous crypto sleuth 0x52 about a critical vulnerability in the protocol.

0x52 conducted an audit of UXDProtocol and found that the contract managing inter-protocol messages does not limit their length or receiving address token count. The auditor warned that this could enable attackers to specify overly long destination addresses, causing system errors and substantial financial losses.

Pellegrino clarified that the ability to configure message and address lengths is an intentional feature. He argued that a fixed limit could introduce censorship, which contradicts LayerZero's goals. He also pointed out that this code has been part of the application configuration since 2022 and does not affect the Core protocol.
Not only is this not a bug, this is by design in the protocol. Any messaging protocol that enshrines this configuration can now censor any application. You cannot have one without the other. We believe in censorship-resistant technology rails,
explained the CEO.
Pellegrino’s reasoning swayed 0x52. The researcher removed the post discussing the supposed protocol flaw and issued an apology to the LayerZero team.