Bryan Pellegrino, CEO of LayerZero, has unveiled a critical vulnerability in the token contract of Across Protocol, putting user wallet security at risk.
Vulnerability Disclosure
Pellegrino disclosed the vulnerability via social media, warning it could allow malicious actions such as token destruction and balance manipulation across user wallets. The issue arises from a function that was intended to be private but was inadvertently made public in the contract.
Unlimited Token Minting Flaw
In addition to the aforementioned flaw, Pellegrino identified a separate issue in both the Across and UMA Protocol contracts that could allow unlimited token minting. This could lead to significant consequences for the protocols’ token economies, including serious market manipulation or loss of trust.
Suggestions for Resolution
To mitigate risks without reprinting tokens, Pellegrino suggested transferring ownership of the vulnerable token contract to a new smart contract. This new contract should ensure security by eliminating overprinting and token destruction capabilities. Pellegrino emphasized that the new contract should be immutable, with limited ownership transfer to guarantee long-term protection.
The revelation of vulnerabilities in Across and UMA Protocols highlights the necessity of robust smart contract security. Timely response and security enhancements should be a priority for every project.