LayerZero (ZRO)

The @KelpDAO exploit didn’t technically break @LayerZero_Core. But it did reveal that millions of dollars could depend on a single weak security checkpoint and that feelsbadman. Because if that checkpoint failed, user funds were at risk. And once the market saw that setup, $ZRO dropped. And because LayerZero’s FDV moves with the $ZRO price, FDV naturally followed. IMO, the takeaway here is simple: Cross-chain security is only as strong as the config behind it. And when people start questioning the security setup, the market reacts fast. Other projects should study this.

We’re sharing our completed post-mortem on the April 18th incident, prepared with @Mandiant and @CrowdStrike. We are publishing both an executive summary and the full report at the link below. Over the past four weeks, we’ve worked with hundreds of partners to help them understand their current security posture, and harden it where appropriate. We’ll continue this work, alongside taking additional proactive steps for the benefit of not only our partners, but also the ecosystem as a whole. We want to extend our thanks to our partners for their support and patience this past month. There’s a reason that over $12 billion has moved across the network in the past four weeks, and why the world’s most valuable asset issuers have stood by our side: they believe in us, in what the LayerZero protocol has to offer, and in the value of modular, isolated, application-controlled security. The work continues. And we look forward to continue showing up for the applications that trust us with their business, as well as the

New post mortem confirms what we already knew: @LayerZero_Labs' centralized infrastructure was infiltrated by North Korean hackers, which resulted in the $292 million rsETH bridge exploit Turns out this required only a single engineer to be socially engineered, whose laptop was fully compromised for over 6 weeks without detection before exploit was executed, an insane single point of failure and lack of adequate monitoring This only builds on LZ Labs' extensive history of poor opsec, including trading memecoins like "McPepes" on production multisig keys, which weren't rotated for years and Bryan lied about and said was just "PEPE OFT testing" (3 keys on a 2-of-5 LZ Labs multisig were at risk of phishing attacks for years) And nevermind the fact I called out the EXACT centralization risk that resulted in the rsETH exploit 2 years ago, directly to Bryan, who lied and said no project was using LZ Labs DVN in 1-1 config (in reality, multiple projects were) Given it's now abundantly clear to anyone paying atte

We’re sharing our completed post-mortem on the April 18th incident, prepared with @Mandiant and @CrowdStrike. We are publishing both an executive summary and the full report at the link below. Over the past four weeks, we’ve worked with hundreds of partners to help them understand their current security posture, and harden it where appropriate. We’ll continue this work, alongside taking additional proactive steps for the benefit of not only our partners, but also the ecosystem as a whole. We want to extend our thanks to our partners for their support and patience this past month. There’s a reason that over $12 billion has moved across the network in the past four weeks, and why the world’s most valuable asset issuers have stood by our side: they believe in us, in what the LayerZero protocol has to offer, and in the value of modular, isolated, application-controlled security. The work continues. And we look forward to continue showing up for the applications that trust us with their business, as well as the

New post mortem confirms what we already knew: @LayerZero_Labs' centralized infrastructure was infiltrated by North Korean hackers, which resulted in the $292 million rsETH bridge exploit Turns out this required only a single engineer to be socially engineered, whose laptop was fully compromised for over 6 weeks without detection before exploit was executed, an insane single point of failure and lack of adequate monitoring This only builds on LZ Labs' extensive history of poor opsec, including trading memecoins like "McPepes" on production multisig keys, which weren't rotated for years and Bryan lied about and said was just "PEPE OFT testing" (3 keys on a 2-of-5 LZ Labs multisig were at risk of phishing attacks for years) And nevermind the fact I called out the EXACT centralization risk that resulted in the rsETH exploit 2 years ago, directly to Bryan, who lied and said no project was using LZ Labs DVN in 1-1 config (in reality, multiple projects were) Given it's now abundantly clear to anyone paying atte

We’re sharing our completed post-mortem on the April 18th incident, prepared with @Mandiant and @CrowdStrike. We are publishing both an executive summary and the full report at the link below. Over the past four weeks, we’ve worked with hundreds of partners to help them understand their current security posture, and harden it where appropriate. We’ll continue this work, alongside taking additional proactive steps for the benefit of not only our partners, but also the ecosystem as a whole. We want to extend our thanks to our partners for their support and patience this past month. There’s a reason that over $12 billion has moved across the network in the past four weeks, and why the world’s most valuable asset issuers have stood by our side: they believe in us, in what the LayerZero protocol has to offer, and in the value of modular, isolated, application-controlled security. The work continues. And we look forward to continue showing up for the applications that trust us with their business, as well as the