"According to an official update, the attackers poisoned the source of truth for internal Remote Procedure Calls (RPCs) used by the Layerzero Labs Decentralized Verifier Network (DVN). This sophisticated hit coincided with a Distributed Denial of Service (DDoS) attack against the firm's external RPC provider. The fallout, according to the report, was contained to a small fraction of the ecosystem. Layerzero noted that the incident impacted a single application, representing 0.14% of total apps and 0.36% of the total value locked on the protocol."
"Layerzero also acknowledged that they failed to police what their DVN was securing, which created a single point of failure risk. To rectify this, the lab is now educating developers on safe configurations and will no longer service 1/1 DVN setups. The disclosure also addressed a bizarre security lapse involving a multisig signer. Three and a half years ago, an individual mistakenly used a multisig hardware wallet for a personal trade. The signer has since been removed, and the firm has implemented a custom-built multisig solution dubbed Onesig."
"Layerzero Labs is migrating all defaults to a 5/5 DVN setup to improve cross-chain security. Since April 19, the team detailed that it has been working with external security partners to finalize a comprehensive post-mortem report. The team further admitted to a significant oversight in allowing their DVN to act as a solo verifier for high-value transactions. Layerzero Labs issued a candid apology for a three-week communication silence following a security breach involving the Lazarus Group."
"Onesig is designed to prevent unauthorized backend transactions by hashing and merklizing transactions locally on the user's side. Layerzero noted that it is also inc"
Lazarus Group attacked Layerzero Labs by poisoning internal RPC sources of truth used by the Decentralized Verifier Network (DVN). The attack coincided with a DDoS against an external RPC provider, and the combined disruption was contained to a small fraction of the ecosystem. The incident affected one application, representing 0.14% of total applications and about 0.36% of total value locked associated with Layerzero. Layerzero Labs issued an apology for three weeks of communication silence and worked with external security partners to finalize a comprehensive post-mortem report. The breach revealed an oversight where the DVN acted as a solo verifier for high-value transactions, creating a single point of failure. Layerzero is educating developers on safe configurations and will stop supporting 1/1 DVN setups, migrating defaults to a 5/5 DVN setup. The update also addressed a multisig signer lapse from a mistaken hardware wallet use years earlier and introduced Onesig to prevent unauthorized backend transactions by hashing and merklizing transactions locally.
Read at news.bitcoin.com
Unable to calculate read time
Collection
[
|
...
]