Did the Biggest VCs Back an Insecure "Multisig" Bridge with NO Token?! (LayerZero)

By Michael @ CryptoEQ | CryptoEQ | 26 Apr 2023


You are reading an excerpt from our free but shortened abridged report! While still packed with incredible research and data, for just $20/month you can upgrade to our FULL library of 50+ reports (including this one) and complete industry-leading analysis on the top crypto assets. 

ec7c90e39db01e989b5bd3f0331246476efc10186adc67d955728d2edd2163d5.png

Becoming a Premium member means enjoying all the perks of a Basic membership PLUS:

  • Full-length CORE Reports: More technical, in-depth research, actionable insights, and potential market alpha for serious crypto users
  • Early access to future CORE ratings: Being early is sometimes just as important as being right!
  • Premium Member CORE+ Reports: Coverage on the top issues pertaining to crypto users like bridge security, layer two solutions, DeFi plays, and more
  • CORE report Audio playback: Don’t want to read? No problem! Listen on the go.

 

Investors

LayerZero Labs recently announced a $135 million Series A+ funding round at a $1 billion valuation. The impressive list of strategic investors includes a16z crypto, Sequoia, FTX, PayPal Ventures, Animoca, Softbank CEO Rene Marcelo Claure, Avalanche's ecosystem fund “Blizzard,” Polygon's ecosystem fund, Fantom's ecosystem fund, Dapper Labs, Kronos Research, Ethernity, ImToken Ventures, Matrixport, Coinbase, and Gemini. Additionally, notable angel investors, such as Tom Brady, Justin Timberlake, and Maria Eitel have also joined the round, further solidifying LayerZero Labs' position in the market.

The involvement of PayPal Ventures is noteworthy as LayerZero Labs is their first web3 project in their portfolio. This support from industry giants and influential individuals demonstrates the potential of LayerZero Labs as a game-changing force in the cryptocurrency and blockchain space.

Security and Vulnerabilities

 LayerZero's protocol for "trustless inter-chain communication" operates by using two independent actors, the oracle and the relayer, to ensure its security. The LayerZero system operates as an on-chain endpoint that functions with the aid of an UltraLightNode (ULN), which depends on the actions of the oracle and relayer to facilitate communication between chains.

LayerZero diagram Source: LayerZero

When a message (M) is transmitted from chain A to chain B, the oracle first waits until the transaction that sends the message is finalized on chain A and then writes a commitment for the message bundle (e.g., the hash of the block header containing the message M) on chain B. The relayer subsequently provides chain B with proof of the message's presence in the stored header through means such as a Merkle proof.

LayerZero assumes that the relayer and oracle are independent and honest actors. However, the whitepaper acknowledges that if this assumption isn’t true, the two actors can collude, potentially resulting in an invalid block header and proof. Despite LayerZero's assertion that its design eliminates the possibility of collusion, this is not necessarily true, as the user application can define and change the relayer and oracle at any time, thereby altering the security assumptions. Therefore, it's not sufficient to assess the security of a LayerZero-based application once, as the user application has the capability to change its relayer and oracle, potentially compromising its security.

“2-of-2 Multisig argument”/Oracle-Relayer Collusion

As the blockchain and cryptocurrency ecosystem grows, interoperability has become a crucial aspect. LayerZero is a protocol that aims to address this challenge through a unique approach, combining relayers and oracles to facilitate cross-chain communication. However, concerns about its security and trust assumptions have been raised, prompting a closer examination of the protocol's design and potential vulnerabilities.

LayerZero's Security Model and Trust Assumptions

LayerZero employs a set of contracts that define two roles: "relayers" and "oracles." Oracles are responsible for reporting the state of underlying blockchains, while relayers handle message delivery across chains and prove message validity. Users can choose which third-party relayer or oracle to use, and LayerZero serves as a neutral messaging bus and set of standards.

One point of concern is the LayerZero team's ability to modify the verification and proving library through a 2-of-5 multi-signature system. 

The trust assumptions include:

  1. Trusting that the protocol won't run or choose a corrupted relayer.
  2. Trusting that oracles are not corrupted.
  3. Trusting that LayerZero itself is not compromised.

The bridge's security is only as strong as its multi-signature system, potentially presenting a different security model than initially thought.

It’s been argued that setting up a custom configuration instead of relying on default settings can mitigate vulnerabilities identified by critics. With a custom configuration, validation libraries can't be modified, moved, or corrupted. However, some believe that securing the bridge should be the responsibility of the bridge team, not the projects using it.

As LayerZero's model is relatively new and untested, questions about the possibility of collusion between relayers and oracles have emerged. While users holding native assets on their native chains would not be affected by security issues, funds in liquidity pools could be exposed to risk.

LayerZero takes a different approach to blockchain interoperability than Axelar. Instead of providing the entire interoperability stack, LayerZero focuses on defining the roles of relayers and oracles. Users can choose any existing system to serve as a relayer or oracle, tailoring the solution to their specific needs.

barteck tweet about layerzero

Although LayerZero's whitepaper claims Chainlink will be the default oracle, Stargate Finance—a LayerZero-based project—currently uses a three-party signature composed of FTX, Sequoia, and Polygon as the oracle with relaying performed by LayerZero Labs. LayerZero offers an innovative solution to blockchain interoperability, but its security and trust assumptions warrant further investigation. As the protocol continues to develop, it's essential for projects using LayerZero to carefully evaluate its security model and potential vulnerabilities to ensure the safety of their assets and the integrity of cross-chain communication.

Attack Vectors

While LayerZero itself does not have any security guarantees, the security of the applications built using LayerZero is dependent on the app owners or someone in possession of their private keys not doing anything irrational. In an adversarial environment, one can't assume the security of these applications until proven otherwise. Furthermore, when the relayer and oracle are the same entity, LayerZero inherits the security of the oracle service provider. As such, the risk is siloed, meaning control over the relayer and the oracle is necessary to corrupt the system. If a specific relayer/oracle is corrupted, only applications using those specific parties (relayer and oracle) will face an issue. This way, the risk is isolated and doesn’t affect the whole ecosystem.

Recently, claims were made by L2Beat regarding LayerZero's potential attack vectors. Even though tokens may be built using LayerZero and used according to its mechanics, it's still possible to steal funds from the tokens’ escrow if there’s a fault in the application. Additionally, LayerZero's security model assumes that app owners or those in possession of their private keys won't act irrationally, which is an incorrect assumption in an adversarial environment. Furthermore, it requires trust in the application owners as a trusted third party. Therefore, one can't make any assumptions about the security of the applications built using LayerZero. Finally, it should be noted that the worst-case security scenario can occur when the relayer and oracle are the same entity, as the risk is siloed and control over the relayer and the oracle is necessary to corrupt the system.

Competitors

CCIP: Cross-Chain Interoperability Protocol (CCIP)

Chainlink’s new Cross-Chain Interoperability Protocol (CCIP) features a cross-chain message relaying service and a cross-chain token bridge. Other forms of off-chain computation are also in development, such as FSS, DECO, and Town Crier. The advancements of CCIP can create a sort of cross-chain hybrid smart contract that can allow blockchains to communicate with each other. 

​​Chainlink's Cross-Chain Interoperability Protocol (CCIP) is poised to be a direct rival to LayerZero, particularly considering the latter's dependence on decentralized oracle networks for ensuring system security and its specific suggestion for applications to employ Chainlink as their default provider. Although CCIP remains in development and publicly-available technical details are somewhat scarce, we can draw preliminary comparisons with LayerZero based on the information at hand.

CCIP embodies a more streamlined model in comparison to LayerZero, consisting solely of Chainlink's pre-existing decentralized oracle networks (DONs) and messaging router smart contracts (MSRCs), which are analogous to LayerZero's Endpoints. In contrast to LayerZero, CCIP consolidates the oracle and relayer functions, which are managed by Chainlink's DONs. As previously discussed, this design choice doesn’t significantly impact the system's safety or liveness in real-world scenarios.

LINK stack Source: Chainlink​​​​

The token bridge that's part of the CCIP uses hundreds of independent Chainlink nodes to sign and validate cross-chain token transactions, which reduces a single point of failure and enables cross-chain asset transfer. CCIP creates a universal ‘plug and play’ standard for developers working on smart contracts and allows developers to select the best code for the task at hand. Developers using CCIP can take advantage of Ethereum’s security and another chain’s speed and scalability all in one smart contract.

CCIP’s cross-chain message relaying service works as follows: A smart contract from a source chain can invoke Chainlink’s Messaging Router to leverage the Chainlink DON to securely send messages to the destination chain. Then, another Messaging Router will validate it and send it to the destination smart contract. This feature enables numerous use cases, including cross-chain yield harvesting, cross-chain collateralized loans, low-cost transaction computation, and new categories of DeFi applications over time. The CCIP token bridge is powered by Chainlink’s OCR 2.0, which involves Chainlink’s nodes cryptographically signing and validating all cross-chain token transactions. The token bridge supports the minting and burning and locking, and unlocking of ERC-20 tokens and is secured with Chainlink’s anti-fraud network. 

The bridge offers developers a universal interface that can transfer tokens to any Chainlink-integrated blockchain across both EVM and non-EVM chains. This eliminates the need for developers to build separate bridges with complex security vulnerabilities.

bridge comparison table Source

How do you rate this article?

85


Michael @ CryptoEQ
Michael @ CryptoEQ

I am a Co-Founder and Lead Analyst at CryptoEQ. Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.


CryptoEQ
CryptoEQ

Gain the market insights you need to grow your cryptocurrency portfolio. Our team's supportive and interactive approach helps you refine your crypto investing and trading strategies.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.