abhi3700
commented
1 month ago Sharing the discussion thread here from LZ team & community:
Closed abhi3700 closed 15 hours ago
abhi3700
commented
1 month ago Sharing the discussion thread here from LZ team & community:
abhi3700
commented
1 month ago "Any malicious bridge pretending to be a genuine, if could somehow (showcasing different packets sending from multiple contracts) get a potential token contract (with high price value) get themselves added into their OApp/OFT/ONFT's DVN Security stack, the project suffers potentially billions of dollars of losses."
"LZ should introduce (sooner) their own LZ token and create kind of blockchain validators-like ecosystem with incentivization. That way it won't be so scattered."
abhi3700
commented
1 month ago Reported to Bug Bounty program as well.
abhi3700
commented
1 month ago Discord chat post Bug Report submission:
Currently, there are 2 main issues/disclaimer for developers using LZ approach as cross-chain solution:
bholcomb8
commented
15 hours ago This has been hashed out on discord and is not a vulnerability. Oapp developers must choose the amount of security they want for their use case and pay for said security.
Description
A trusted bridge between 2 contracts (on 2 different chains) could verify & execute an encoded message without it actually been sent from the source chain. For instance, Alice (from Nova) didn't send wTSSC to itself/Bob (on Sepolia), but the receiver (Alice/Bob) received because of Bridge's verification and execution, given the OApp chose the set of malicious DVNs.
One can watch this video 🎬 as a demo to understand. In the video, the bridge admin (potential hacker) just executed 2 messages without it actually been sent from the source chain.
Old videos to get more context:
There are 2 repos where u can find the code: