TL;DR:
The cross-chain messaging protocol LayerZero is at the center of a new security controversy after it was revealed that its 2-of-5 production multisig keys on Gnosis Safe were used to execute operations on Uniswap involving the memecoin McPepes.
Screenshots of an internal discussion that went viral on X show that three of the five signers used those same keys for activities unrelated to multisig management, violating the basic principle of key isolation in critical infrastructure operations.
One of the signers, identified by the address 0x1f5E377a3ADBe6f3289ADb6b21eae6427dfbb553, carried out an operation on March 1, 2023, swapping 0.198548073 ETH for approximately 1.73 million McPepes tokens through Uniswap V3. Another signer held around $12 million in the wallet while staking on Stargate. A third was engaged in liquidity provision on platforms such as Curve, PancakeSwap and SpookySwap.
The multisig had no timelock and the keys remained unrotated for several years. As the component controlling DVN configurations and libraries for LayerZero-compatible protocols, its exposure to malicious contract attacks and phishing schemes is alarming: just two compromised keys would have been enough to drain the entire multisig.
Bryan Pellegrino, CEO of LayerZero, responded to the accusations attributing the transactions to former signers already removed and describing them as OFT tests, not speculation. Critics questioned that explanation, noting that a swap of ETH for a memecoin via Uniswap hardly fits the definition of testing.
Zach Rynes, from Chainlink, described the security practices as “terrifying” and warned about the risk of supply chain attacks for those using LayerZero in its default configuration. Yesterday, Solv Protocol announced the migration of over $700 million in tokenized BTC from LayerZero to Chainlink’s CCIP, citing security reviews and concerns with bridges.
