Bridge platform LayerZero co-founder is refuting claims made by a rival that the company hid the presence of a significant “backdoor” vulnerability in its code.
In a blog post published on Monday, James Prestwich, the creator of the cross-chain bridging service Nomad, claimed that LayerZero can get around security measures to transfer data between blockchains without anyone’s consent. He explained in a tweet that a “backdoor” vulnerability can impact the system’s functionality via a hidden capability of a trusted party.
A trusted-party vulnerability (also called a “backdoor”) is an undisclosed capability of a trusted party, that can compromise the function of the system. We discuss two of these in the LayerZero contracts.https://t.co/C7Gh6ns56S
— James Prestwich (@_prestwich) January 30, 2023
Prestwich claimed that LayerZero has the power to unilaterally move or steal money that is locked up with platforms that utilize its bridging services in default settings.
Co-founder of LayerZero Bryan Pellegrino acknowledged that the project has backdoor-like capabilities but disputed claims that it has ever attempted to conceal them. Pellegrino argued that LayerZero was transparent about its security procedures and provided developers with the freedom to create restrictions preventing LayerZero from being granted special access privileges. Comparable access capabilities to LayerZero’s exist on other bridges, such Nomad.
The company “has been very upfront about the security properties of the system, and this is all widely known and well documented,” said LayerZero code auditor Zellic in a tweet on Monday.
Pellegrino speculated that Prestwich’s motivations might be connected to an approaching Uniswap governance vote to choose a bridge provider.