Odaily Planet Daily News - LayerZero CEO Bryan Pellegrino posted on platform X to inform the Across Protocol team that, "I want to notify you that there is a verification issue with your token contract. You have incorrectly exposed a function that should be an internal private function, which was written by Open Zeppelin in its ERC20 token implementation for burning tokens, and has given it to the contract owner. This allows you to withdraw tokens from any wallet at any time and arbitrarily set any account's balance to zero. In addition, both the Across Protocol and UMA Protocol contracts have unlimited minting capabilities, but I have already notified you of these two issues, and you seem to not care. Resolving this issue does not require reissuing tokens: transfer the contract ownership to a new smart contract to prevent the minting amount from exceeding the total supply and also disallow destruction. Since this is a permanent vulnerability, the new contract must be immutable and should not include any function to transfer ownership. If you have an active vulnerability bounty program, you can credit this information to the LayerZero team."
See original
LayerZero CEO: Vulnerability in Across Token Contract
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
UMA
2.7
-4.96%
Replies 0
