We previously reported that Uniswap has launched a built-in cross-chain bridge, which is built in partnership with the cross-chain protocol Across Protocol. However, Bryan Pellegrino, the founder of the LayerZero full-chain interoperability protocol, recently publicly pointed out on Twitter that Across Protocol has a code vulnerability. Although Hart Lambur, the founder of Across Protocol, responded to the post, the issue remains unresolved.
Bryan Pellegrino stated that due to the vulnerability in Across Protocol, the private function used by Open Zeppelin to destroy ERC-20 tokens has been leaked. Open Zeppelin has collaborated with Ethereum Foundation, Coinbase, Optimism, AAVE, Compound, Polkadot, and Uniswap. Its open-source contract library is considered an industry standard.
Bryan Pellegrino pointed out that this vulnerability allows Across Protocol to freely withdraw tokens from any wallet, zero out tokens from any account at any time, and create the risk of malicious liquidation. He also mentioned that Across Protocol, under Hart Lambur’s leadership, can effectively mint an infinite number of tokens, which is interesting because Hart Lambur criticized the issue of infinite token minting just last week.
In response to this vulnerability, Bryan Pellegrino proposed a solution, stating, “To fix this issue without reissuing tokens: transfer contract ownership to a new smart contract that restricts the total token supply and prohibits excessive minting and burning operations. Since this is a permanent vulnerability, the new contract must be immutable and should not include any ownership transfer functionality.”
Hart Lambur responded to this proposal by stating that it is dishonest FUD (Fear, Uncertainty, Doubt) and pointed out that Across Protocol’s contract has been audited by Open Zeppelin. Bryan Pellegrino questioned Hart Lambur’s understanding of code and stated that contract audits cannot solve the problem. He also challenged Hart Lambur to a highest-level debugging bet of £1 million, stating that he would donate it to the community if he discovers he is wrong one day.
However, Hart Lambur insisted that Across Protocol does not have any vulnerabilities. Nevertheless, in the spirit of decentralization, he initiated a community governance vote to fix the total supply of Across Protocol tokens at 1 billion.
In response to Bryan Pellegrino’s continuous inquiries, Hart Lambur directly stated that the issue has been resolved. The conversation did not continue after that.