Closed abhi3700 closed 15 hours ago
Sharing the discussion thread here from LZ team & community:
"Any malicious bridge pretending to be a genuine, if could somehow (showcasing different packets sending from multiple contracts) get a potential token contract (with high price value) get themselves added into their OApp/OFT/ONFT's DVN Security stack, the project suffers potentially billions of dollars of losses."
"LZ should introduce (sooner) their own LZ token and create kind of blockchain validators-like ecosystem with incentivization. That way it won't be so scattered."
Reported to Bug Bounty program as well.
Discord chat post Bug Report submission:
Currently, there are 2 main issues/disclaimer for developers using LZ approach as cross-chain solution:
This has been hashed out on discord and is not a vulnerability. Oapp developers must choose the amount of security they want for their use case and pay for said security.
Description
A trusted bridge between 2 contracts (on 2 different chains) could verify & execute an encoded message without it actually been sent from the source chain. For instance, Alice (from Nova) didn't send wTSSC to itself/Bob (on Sepolia), but the receiver (Alice/Bob) received because of Bridge's verification and execution, given the OApp chose the set of malicious DVNs.
One can watch this video 🎬 as a demo to understand. In the video, the bridge admin (potential hacker) just executed 2 messages without it actually been sent from the source chain.
Old videos to get more context:
There are 2 repos where u can find the code: