On October 22, Bryan Pellegrino, CEO of LayerZero - a cross-chain interaction protocol, posted on social media to warn the Across Protocol development team about a serious error in their token contract.
Specifically, Pellegrino said:
"You have inadvertently exposed a function that was supposed to be a private internal function, written by Open Zeppelin during the deployment of the ERC20 token to destroy tokens, but you have granted this power to the contract owner. This allows you to withdraw tokens from any wallet and arbitrarily set the balance of any account to 0."
In addition, the CEO of LayerZero also pointed out that both Across Protocol and UMA Protocol are facing another serious problem, which is the ability to issue an unlimited number of tokens. Pellegrino said he had warned the development team about this issue but did not receive a responsive response.
To resolve the above issues without the need to re-issue the token, Pellegrino recommends that Across Protocol transfer contract ownership to a new smart contract. This contract needs to have a mechanism to prevent the issuance of tokens beyond the total supply and remove the ability to destroy tokens. Additionally, he emphasized that the new contract must be immutable and not contain any functions that allow for the transfer of ownership.
Pellegrino also suggested that if Across Protocol has an active bug bounty program, the LayerZero team could be recognized for their contribution in discovering this vulnerability.
