Bridge Platform LayerZero Denies Allegations It Kept ‘Backdoor’ Secret

LayerZero, which provides services to help blockchains bridge digital assets between each other, is denying accusations from a competitor that it covered up the existence of a critical “backdoor” vulnerability in its code.

James Prestwich, founder of the cross-chain bridging service Nomad, alleged in a blog post on Monday that LayerZero can bypass security controls in order to pass data between blockchains without anyone’s permission.

“A trusted-party vulnerability (also called a ’backdoor’) is an undisclosed capability of a trusted party, that can compromise the function of the system,” Prestwich explained in a tweet outlining his findings. According to Prestwich, LayerZero has the ability to unilaterally steal or move around funds locked up with platforms that use its bridging services with default settings.

Bryan Pellegrino, a co-founder of LayerZero, acknowledged that the project has backdoor-like capabilities but denied that the platform has ever tried to hide them. According to Pellegrino, LayerZero was open about its security practices and gave the developers the ability to set parameters barring LayerZero from special access privileges.

“What they have wrong is that every application has the ability to just select their own security properties,” Pellegrino told CoinDesk. “All you have to do is set your configuration and there's nothing that anybody can ever do,” he continued. “James knows that describing anything as a critical security vulnerability is insane.”

Pellegrino says that competing bridge providers like Nomad and Wormhole have the same “backdoor” capabilities that Prestwich attributes to LayerZero. “In the worst case, LayerZero is equivalent to how Wormhole or how any other messaging layer works,” he told CoinDesk.

Prestwich says that other bridges – including Nomad, which suffered from a nine-figure hack over the summer – have similar access capabilities to LayerZero’s.

“The difference between a backdoor and a trust assumption is whether or not it's disclosed and documented, and whether or not the team seeks to conceal it,” he told CoinDesk. According to the Nomad founder, LayerZero publicly denied in a Uniswap forum discussion that it had any sort of special capabilities.

“Because they have publicly denied this capability, we believe they may be deliberately concealing the extent of their control over applications,” Prestwich originally tweeted.

LayerZero’s code auditor, Zellic, tweeted on Monday that the team “has been very upfront about the security properties of the system, and this is all widely known and well documented.”

Prestwich suggested there is a potential conflict of interest since the auditors are paid by the project.

“If you ask any person on Twitter, ‘Can LayerZero steal all Stargate funds?’ The answer would be no. The auditors and LayerZero are coming out and saying everybody always knew we could steal the money. That is not a defense and is also not true,” he told CoinDesk.

As for why he decided to disclose the “backdoor” in LayerZero’s code, Prestwich said in his blog post, “We have chosen to fully disclose because we believe that LayerZero is aware of these issues, and public disclosure is the best way to prompt app developers to set configuration.”

Pellegrino suggested Prestwich’s motives were more nefarious and tied to an upcoming Uniswap governance vote, which will see the community behind the largest decentralized exchange select an official bridge provider. The lead contenders in the vote are LayerZero and Wormhole, another major bridge service.

“What we have heard is that every competitor right now is extremely excited because if LayerZero wins this, we basically maintain a clear front-runner position, whereas if Wormhole wins it then there's no clear front-runner,” Pellegrino explained to CoinDesk.

Prestwich denies that he was motivated to disparage LayerZero as one of its competitors. “I think it's difficult to describe Nomad as a competitor to anyone given the situation that we are in,” he told CoinDesk. As a result of last summer’s hack, “We haven't run a bridge or a cross-chain messaging protocol in about six months.”

Prestwich did confirm to CoinDesk that “a disinterested third party in connection with the Uniswap Governance vote” requested that he audit LayerZero’s code. Prestwich said the third party did not work for Uniswap, but he refused to comment on whether the person was associated with Wormhole.

Prestwich says he did not receive payment for his research and did not show it to anyone other than LayerZero prior to publication.