ULNv1 Deprecation

Recently, an anonymous group of whitehat security researchers reached out to the LayerZero team and reported an issue regarding potential griefing of applications by blocking messaging chain paths.

After vetting the claim, our entire development team entered a war room to gauge the potential severity and exposure of the issue. We pulled in leading auditing firm and renowned security expert, Zellic, who we have collaborated with extensively in the past and know to be some of the best in the world when it comes to these situations. Within hours, we concluded that while the issue was legitimate, no funds were at risk; a malicious actor could potentially grief applications, but applications would still be able to fully recover their state. Once the scope of the issue was determined, we began working on what the best solution would look like and worked hand in hand with both Zellic and the white hat group in evaluating these early options.

We have awarded the white-hat researchers a bounty of $250,000 and we thank them for their incredible integrity and professionalism throughout this entire process. Shortly after the original disclosure, samczsun independently reached out and reported the same issue. We informed him that the report was a collision of the existing report. While it is common to not award bounties for duplicate reports, our team has chosen to make an exception in this specific case. For his independent report, we will additionally be awarding samczsun a bounty of $50,000, or 20% of the first reporter’s bounty. samczsun’s tremendous efforts and continued contributions toward Web3 security cannot be overstated.

LayerZero’s Security Process

Security is a fundamental part of the LayerZero team’s culture. As always, we spent time consulting with many of the industry leaders around best practices for security processes and worked closely with Zellic during the timeline of this patch & disclosure.

We adopt the industry-standard best practice of defense-in-depth. Our process is such that every single piece of code goes through multiple layers of internal review, followed by at least one or multiple external audits. Outside of extreme circumstances, we do not push unaudited code. When funds are not directly at risk (like in this scenario), pushing unaudited code is counterproductive–and the possibility of introducing a new bug or increasing risk exposure is unacceptable.

As soon as we established that there were no funds at risk, we adopted the following process:

First, we drew up initial patch candidates and reviewed them with both the disclosing group and Zellic. Based on multiple iterations of feedback, we selected a final patch candidate to submit for a formal audit.

Then, we spent several weeks implementing NASA-level testing standards and dry-runs to validate our update of the smart contracts. For mission-critical code, it is paramount that every deployment or update is extremely well-tested. Our process includes:

• Repeated testing on forked mainnet chains with accurate block speeds
• The use of internal red and blue teams to simulate a live attack-and-defense scenario during the upgrade
• Simulation of LayerZero traffic during the upgrade (both high volume and low volume)
• Elimination of human error. All updates must be done fully programmatically to eliminate human error. Automated deployment scripts are always audited by every member of the development team
• A minimum of 20 dry-runs that all meet the internal timing requirements with zero human intervention

Testing is insufficient unless it accurately represents the real-world conditions it intends to validate. Our process emphasizes simulating the entire end-to-end LayerZero ecosystem as realistically and thoroughly as possible. We believe that this level of rigor should be standard across Web3.

Are applications built on top of LayerZero at risk of being griefed right now?

No. As of this announcement, ULNv1 is now deprecated, the patch has been successfully completed and ULNv2 is live on mainnet.