LayerZero Official
Published in

LayerZero Official

LayerZero Security Update — April 2022

If this past week has shown us anything, it’s that there is nothing more critical in this space than an absolute commitment to continuously evaluating and improving security. Not just once, but an ongoing process of continuous hardening.

This is why we’re extremely pleased to announce and demonstrate our commitment to this by introducing the largest ever security bug bounty, with a top award of $15,000,000.

We will be working with Immunefi and other groups in the coming weeks to hammer out the exact details and roll this out — if you’d like to get started immediately consider these fully in effect as of this moment.

So let’s talk about things we’ve done this week to harden security of both the LayerZero and the Stargate protocols

We’ve migrated all EOAs to multisigs for Stargate and LayerZero. You can find them here and here.

We’ve worked with some of the best security experts in the world to deploy improved and more secure validation libraries. We will verify those contracts and link to them here as soon as the migration is finished.

We’ve begun the process of moving Stargate to a separate multisig and will be working with the community on a process to elect who those multisig key holders are. The process of this transition will take some time, but finding the right people for this is incredibly important.

Pre-Crime

Imagine a world where crimes can be stopped before they ever happen (ok ok this isn’t as dystopian as that). We’re implementing a 2 phase mechanism in the LayerZero Labs Relayer for Stargate.

Phase 1: The Dome — In the weeks since launch we’ve seen an multiple sophisticated attacks launched at Stargate (all of which have been deflected) but to further security we will be implementing The Dome, a system which (at the relayer level) deflects all attacks from malicious external contracts rendering them useless.

Phase 2: Pre-Crime — Pre-Crime takes this a step further and evaluates all messages sent from Stargate (since we’ve already excluded malicious external parties), runs the result locally, and will stop any fraudulent message or attack that would ever result in the Stargate system and Delta algorithm books being off-balance or insolvent. Stopping the crime before it ever had a chance to occur.

You can read all about the Pre-Crime System here.

Security Controls

It’s also important to add clarity around exactly what each component does within the LayerZero ecosystem and what they can and cannot do.

What does the LayerZero multisig have the ability to do?

  • Create new validation libraries. This could be anything from upgrading an existing library (by issuing a new version), creating a more gas-optimized version, or implementing something entirely new (zkp, oru, etc.)
  • Change which library the ‘Default’ setting points to.
  • Why would you want this? The point of the default setting is so that applications don’t need to think about when major migrations happen. An example of this would be the Ethereum proof migration from Merkel Patricia Trees to Verkel Trees on Ethereum.

What does the Stargate multisig have the ability to do?

  • Change which validation library it uses. It can point to a specific library or it can point to ‘Default’
  • Specify which oracle and relayer it uses
  • Specify the block confirmation parameterization for each chain/pathway (i.e. set to 25 outbound confs when leaving Ethereum)

What do all dapps built on LayerZero have the ability to do?

  • Change which validation library it uses. It can point to a specific library or it can point to ‘Default’
  • Specify which oracle and relayer it uses
  • Specify the block confirmation parameterization for each chain/pathway (i.e. set to 25 outbound confs when leaving Ethereum)

What does LayerZero multisig NOT have the ability to do?

  • ever modify an existing library version
  • ever change the config for any application — including their library settings, block confs, or oracle/relayer settings

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan Zarick

Ryan Zarick

Co-founder and CTO at LayerZero Labs