According to BlockBeats, on October 22, Bryan Pellegrino, CEO of cross-chain interoperability protocol LayerZero, addressed the Across Protocol team via social media regarding a significant issue in their token contract.

Pellegrino pointed out that the team had mistakenly exposed a function intended to be private. This function, written by OpenZeppelin in its ERC20 token implementation, is designed to destroy tokens and was given to the contract owner. This exposure allows the contract owner to withdraw tokens from any wallet at will and reduce any account balance to zero.

Additionally, Pellegrino noted that both the Across Protocol and UMA Protocol contracts possess the capability for unlimited minting. Despite being informed of these issues, the teams appeared indifferent.

To resolve this problem without reissuing the tokens, Pellegrino suggested transferring contract ownership to a new smart contract. This new contract should prevent minting beyond the total supply and disallow token destruction. Given the permanent nature of this vulnerability, the new contract must be immutable and should not include any ownership transfer functions.

Pellegrino also mentioned that if the team has an active bug bounty program, they could credit the LayerZero team for this information.