LayerZero CEO Bryan Pellegrino has recently uncovered a critical vulnerability in the token contract of the Across Protocol. Through social media, Pellegrino alerted the public to the potential for malicious actions such as token destruction and balance manipulation across user wallets. The vulnerability stemmed from a function that was meant to be private but was mistakenly made public in the contract. Pellegrino traced the flawed functionality back to OpenZeppelin’s ERC20 token implementation, which granted the contract owner the ability to destroy tokens or empty wallets, effectively reducing any account balance to zero.
In addition to the kill vulnerability, Pellegrino also discovered a separate flaw in both the Across and UMA Protocol contracts. This flaw could enable unlimited token minting, posing serious risks to the protocols’ token economies and potentially leading to market manipulation and loss of trust. Despite notifying both projects about the discovery, Pellegrino expressed concern over their lack of response.
To mitigate risks without the need to reprint tokens, Pellegrino proposed transferring ownership of the vulnerable token contract to a new smart contract. This new contract would eliminate overprinting and token destruction features, ensuring long-term security. Pellegrino emphasized the importance of immutability and limited ownership transfer to guarantee ongoing protection.
Please note that this article does not constitute investment advice. If you are interested in investing in over 300 cryptocurrencies, you can register with Binance exchange and receive a 20% commission discount through this link. For exclusive news, analytics, and on-chain data, be sure to follow our Telegram and Twitter accounts.
