Security Challenges of Cross-Chain Protocols and Limitations of LayerZero

In recent years, security incidents involving cross-chain protocols have been frequent, resulting in significant losses, even surpassing the issues brought about by Ethereum's scaling solutions. This highlights the importance and urgency of addressing the security issues of cross-chain protocols. However, due to the public's limited understanding of these protocols, it is difficult to accurately assess their security levels.

Among many cross-chain solutions, LayerZero adopts an architecture design that seems simple. It executes inter-chain communication through Relayer and is supervised by Oracle. This design eliminates the traditional consensus process of a third chain, providing users with a fast cross-chain experience. However, this simplified architecture also brings potential security risks.

First, LayerZero simplifies multi-node validation to a single Oracle validation, significantly reducing the security factor. Secondly, this model is built on the assumption that Relayers and Oracles are independent of each other, but this trust assumption is difficult to maintain permanently, does not align with the native principles of cryptocurrency, and cannot fundamentally prevent collusion.

There is a viewpoint that open Relayer access may solve these issues. However, increasing the number of operators does not equate to decentralization; it merely makes the system permissionless rather than enhancing its security. The Relayer of LayerZero is essentially still a trusted third party, similar to an Oracle.

More importantly, LayerZero is not responsible for the security of applications. If a project using LayerZero allows the modification of configuration nodes, an attacker could replace them with their own nodes, thereby forging messages. This potential risk may become more severe in complex scenarios.

Essentially, LayerZero is more like middleware rather than actual infrastructure. It cannot provide unified security guarantees for ecological projects, which is fundamentally different from traditional infrastructure.

Some security teams have pointed out potential vulnerabilities in LayerZero. For instance, if malicious actors gain access to the LayerZero configuration, they could manipulate the system, leading to stolen funds. Additionally, critical vulnerabilities have also been found in LayerZero's relayers, which could be exploited by insiders or team members with known identities.

Reviewing the Bitcoin white paper, we can see the core principles of decentralization and trustlessness. However, the design of LayerZero seems to contradict these principles. It requires users to trust Relayers, Oracles, and the developers who build applications using LayerZero, while the participants in the multi-signature process are also pre-arranged privileged roles. More importantly, the cross-chain process of LayerZero does not generate any fraud proofs or validity proofs, let alone putting these proofs on-chain for verification.

Therefore, although LayerZero claims to be a decentralized infrastructure, it does not fully adhere to the core principles of "Satoshi consensus." If a cross-chain protocol cannot achieve true decentralized security, then regardless of its funding scale or user traffic, it may ultimately fail due to insufficient resistance to attacks.

In building a truly decentralized cross-chain protocol, the industry still needs to explore and innovate further. For example, some suggest considering the use of zero-knowledge proofs and other technologies to enhance the security and decentralization of cross-chain protocols. However, to truly address these issues, it is essential to first acknowledge the limitations of existing solutions and to continuously pursue solutions that align with the core principles of blockchain.