Bryan Pellegrino, CEO of the cross-chain interoperability protocol LayerZero, has publicly revealed a critical vulnerability in the Across Protocol’s token contract. In a social media post, Pellegrino alerted the Across Protocol team to a mistakenly exposed function that allowed for the arbitrary destruction and withdrawal of tokens from any wallet.
The vulnerability, stemming from an oversight in the implementation of Open Zeppelin’s ERC20 token standard, granted the Across Protocol the ability to reduce any account’s balance to zero at will. Furthermore, Pellegrino noted that both the Across Protocol and UMA Protocol contracts could mint an unlimited number of coins.
Despite informing the Across Protocol team of these critical issues, Pellegrino expressed disappointment with their seeming lack of urgency or concern.
To mitigate the vulnerability without the need for a token reissue, Pellegrino proposed a solution involving the transfer of contract ownership to a new, immutable smart contract. This new contract would prevent the minting of tokens beyond the total supply and eliminate the possibility of token destruction.
