A co-founder of LayerZero, which provides services to help blockchains bridge digital assets between each other, is denying accusations from a competitor that it covered up the existence of a critical “backdoor” vulnerability in its code.
James Prestwich, founder of the cross-chain bridging service Nomad, alleged in a blog post on Monday that LayerZero can bypass security controls in order to pass data between blockchains without anyone’s permission.
“A trusted-party vulnerability (also called a ’backdoor’) is an undisclosed capability of a trusted party, that can compromise the function of the system,” Prestwich explained in a tweet outlining his findings. According to Prestwich, LayerZero has the ability to unilaterally steal or move around funds locked up with platforms that use its bridging services with default settings.
Bryan Pellegrino, a co-founder of LayerZero, said the project does have backdoor-like capabilities but denied the platform has ever tried to hide them. Pellegrino said LayerZero was open about its security practices and gave the developers the ability to set parameters barring LayerZero from special access privileges.
“What they have wrong is that every application has the ability to just select their own security properties,” Pellegrino told CoinDesk. “All you have to do is set your configuration and there's nothing that anybody can ever do,” he continued. “James knows that describing anything as a critical security vulnerability is insane.”
Pellegrino suggested Prestwich’s motives may be tied to an upcoming Uniswap governance vote to pick a bridge provider.
Pellegrino said competing bridge providers such as Nomad and Wormhole have the same “backdoor” capabilities that Prestwich attributes to LayerZero. “In the worst case, LayerZero is equivalent to how Wormhole or how any other messaging layer works,” he told CoinDesk.
“The difference between a backdoor and a trust assumption is whether or not it's disclosed and documented, and whether or not the team seeks to conceal it,” he told CoinDesk. According to the Nomad founder, LayerZero publicly denied in a Uniswap forum discussion that it had any sort of special capabilities.
“Because they have publicly denied this capability, we believe they may be deliberately concealing the extent of their control over applications,” Prestwich originally tweeted.
LayerZero’s code auditor, Zellic, tweeted on Monday that the team “has been very upfront about the security properties of the system, and this is all widely known and well documented.”
Prestwich suggested there is a potential conflict of interest because the auditors are paid by the project.
“If you ask any person on Twitter, ‘Can LayerZero steal all Stargate funds?’ The answer would be no. The auditors and LayerZero are coming out and saying everybody always knew we could steal the money. That is not a defense and is also not true,” he told CoinDesk.
As for why he decided to disclose the “backdoor” in LayerZero’s code, Prestwich said in his blog post, “We have chosen to fully disclose because we believe that LayerZero is aware of these issues, and public disclosure is the best way to prompt app developers to set configuration.”
Pellegrino suggested Prestwich’s motives were more nefarious and tied to an upcoming Uniswap governance vote, which will see the community behind the largest decentralized exchange select an official bridge provider. The lead contenders in the vote are LayerZero and Wormhole, another major bridge service.
“What we have heard is that every competitor right now is extremely excited because if LayerZero wins this, we basically maintain a clear front-runner position, whereas if Wormhole wins it then there's no clear front-runner,” Pellegrino explained to CoinDesk.
Prestwich denies that he was motivated to disparage LayerZero as one of its competitors. “I think it's difficult to describe Nomad as a competitor to anyone given the situation that we are in,” he told CoinDesk. As a result of last summer’s hack, “We haven't run a bridge or a cross-chain messaging protocol in about six months.”
Prestwich told CoinDesk that a Uniswap voter asked that he audit LayerZero's code "as a disinterested third party" given his extensive background in cross-chain bridge technology and the solidity programming language. Prestwich said the person who requested the audit did not work for Uniswap, but he refused to comment on whether the person was associated with Wormhole.
Prestwich said he did not receive payment for his research and did not show it to anyone other than LayerZero prior to publication.
CORRECTION (Jan. 30, 21:25 UTC): Prestwich was asked to audit LayerZero's code "as" a disinterested third party in the Uniswap vote, not "by" a disinterested third party in the vote.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.