CoinVoice has recently learned that LayerZero's CEO Bryan Pellegrino addressed the Across Protocol team on social media, stating, 'I want to inform you that there is a critical issue with your token contract. You have mistakenly exposed a function that should have been an internal private function, which was written by Open Zeppelin in its ERC20 token implementation, designed to burn tokens, and granted it to the contract ownerâthis allows you to withdraw tokens from any wallet at will, arbitrarily setting any accountâs balance to 0.'
In addition, both your Across Protocol and UMA Protocol contracts have the ability to mint indefinitely, but I have already notified you of these two issues, and you seem to not care. To resolve this issue without reissuing tokens:
Transfer contract ownership to a new smart contract to prevent the minting amount from exceeding the total supply and disallow burning. Since this is a permanent vulnerability, the new contract must be immutable and should not include any ownership transfer functionality. If you have an active bug bounty program, you can credit this information to the LayerZero team.â [Original link]
