Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Layer Zero is a cross-chain messaging protocol. The architecture is as follows:

1. User Application (UA) calls endpoint.
2. Endpoint emits an event on chain A.
3. Off-chain infrastructure attests the message.
4. Relayer sends the message through on chain B.
5. UA receives the message on chain B.

The application allows for configuraion of the relayer and the oracle per application. This seems that anyone can implement an off-chain relayer and use it themselves. The author had a question: "when does the LayerZero Labs Relayer stop listening to messages?"

In the contract UltraLightNodeV2, the function send() handles the event emission process for a cross-chain message. Interestingly, the event does NOT emit the relayer address itself. This peaked the authors interest! If it's not in the event, then the LZ relayer must keep track of each User Application (UA) that it supports. This feels racy.

Remember, there's no source for the off-chain infra! So, they started asking questions... what happens if a user changes their config? They submitted a PoC on chain where the Relayer and Oracle price submissions were 0 then changed the Oracle/Relayer back to the original LZ default.

By diong this, the LZ relayer relayed the transaction without getting paid during the submission process. This means that you can use LZ for free and drain the funds from the LZ relayer wallet. Naturally, if these funds are drained then the other apps would no longer work.

The smart contracts are open source but none of the off-chain code is. The author decided to black-box test some code to see how it would react. To me, this is interesting but crosses a important trust threshold. What if a malicious actor was looking at these transactions and then mimiced the exploit? Unlike web2, where your traffic is your own, doing live testing on-chain could lead to further issues.