TL;DR:
- LayerZero is being accused of operational security failures after its production multisig keys were found executing operations in the McPepes memecoin.
- Three of the five signers of the Gnosis Safe 2-of-5 carried out transactions on decentralized exchanges, exposing keys that custody billions of dollars.
- CEO Bryan Pellegrino attributed the operations to former signers already removed and denied they were speculation, though part of the community rejected his explanation.
The cross-chain messaging protocolĀ LayerZeroĀ is at the center of a new security controversy after it was revealed thatĀ its 2-of-5 production multisig keys on Gnosis Safe were used to execute operations on Uniswap involving the memecoinĀ McPepes.
Screenshots of an internal discussion that went viral on X show that three of the five signers used those same keys forĀ activities unrelated to multisig management, violating the basic principle of key isolation in critical infrastructure operations.
Keys Custodying Millions, Used to Buy Memecoins
One of the signers, identified by the address 0x1f5E377a3ADBe6f3289ADb6b21eae6427dfbb553, carried out an operation on March 1, 2023,Ā swapping 0.198548073 ETH for approximately 1.73 million McPepes tokens through Uniswap V3. Another signerĀ held around $12 million in the wallet while staking on Stargate. A third was engaged inĀ liquidity provisionĀ on platforms such asĀ Curve,Ā PancakeSwapĀ and SpookySwap.
The multisig had no timelock and the keys remained unrotated for several years. As the component controlling DVN configurations and libraries for LayerZero-compatible protocols, its exposure to malicious contract attacks and phishing schemes is alarming:Ā just two compromised keys would have been enough to drain the entire multisig.
LayerZero’s Silence Speaks Louder than Words
Bryan Pellegrino, CEO of LayerZero, responded to the accusationsĀ attributing the transactions to former signers already removed and describing them as OFT tests, not speculation. Critics questioned that explanation, noting that a swap of ETH for a memecoin via UniswapĀ hardly fits the definition of testing.
Zach Rynes, from Chainlink,Ā described theĀ securityĀ practices as “terrifying”Ā and warned about the risk of supply chain attacks for those using LayerZero in its default configuration. Yesterday,Ā Solv ProtocolĀ announced the migration of over $700 million in tokenized BTC from LayerZero to Chainlink’s CCIP, citing security reviews and concerns with bridges.
