TL;DR:
- LayerZero is being accused of operational security failures after its production multisig keys were found executing operations in the McPepes memecoin.
- Three of the five signers of the Gnosis Safe 2-of-5 carried out transactions on decentralized exchanges, exposing keys that custody billions of dollars.
- CEO Bryan Pellegrino attributed the operations to former signers already removed and denied they were speculation, though part of the community rejected his explanation.
The cross-chain messaging protocol LayerZero is at the center of a new security controversy after it was revealed that its 2-of-5 production multisig keys on Gnosis Safe were used to execute operations on Uniswap involving the memecoin McPepes.
Screenshots of an internal discussion that went viral on X show that three of the five signers used those same keys for activities unrelated to multisig management, violating the basic principle of key isolation in critical infrastructure operations.
Keys Custodying Millions, Used to Buy Memecoins
One of the signers, identified by the address 0x1f5E377a3ADBe6f3289ADb6b21eae6427dfbb553, carried out an operation on March 1, 2023, swapping 0.198548073 ETH for approximately 1.73 million McPepes tokens through Uniswap V3. Another signer held around $12 million in the wallet while staking on Stargate. A third was engaged in liquidity provision on platforms such as Curve, PancakeSwap and SpookySwap.
The multisig had no timelock and the keys remained unrotated for several years. As the component controlling DVN configurations and libraries for LayerZero-compatible protocols, its exposure to malicious contract attacks and phishing schemes is alarming:Â just two compromised keys would have been enough to drain the entire multisig.
LayerZero’s Silence Speaks Louder than Words
Bryan Pellegrino, CEO of LayerZero, responded to the accusations attributing the transactions to former signers already removed and describing them as OFT tests, not speculation. Critics questioned that explanation, noting that a swap of ETH for a memecoin via Uniswap hardly fits the definition of testing.
Zach Rynes, from Chainlink, described the security practices as “terrifying” and warned about the risk of supply chain attacks for those using LayerZero in its default configuration. Yesterday, Solv Protocol announced the migration of over $700 million in tokenized BTC from LayerZero to Chainlink’s CCIP, citing security reviews and concerns with bridges.
