Full Report
Layer Zero is a cross-chain messaging protocol. It allows for the customization of various entities involved in the protocol. In particular, the relayer who triggers the message on the destination chain can be set arbitrarily. Blockian found a race condition in this functionality. By having the relayer set to LZ, changing it to your own with zero fees and then switching it back, LZ would relay the message for free. The remediation to this issue was modify the protocol contracts, which led to another even worse security issue. The function setConfig is used to change the oracle/relayer of a UA. If this is set in the same transaction that a message is sent, then the relayer should NOT relay the message. Only the owner of a UA is able to change the configuration. So, this seems like a sane remediation. The consequence was that the relayer was checking if the AppConfigUpdated happened at all. Consequently, it wasn't checking that it was the same UA that triggered the update as the one that was being executed. This meant that it was possible to get the relayer to drop messages from legitimate calls, such as Stargate. The consequences are somewhat LZ specific. LZ has an increasing nonce that requires that everyone is done in perfect order. By dropping a message, it's possible to prevent all messages after this point to become stuck. In the case of a well-used app like Stargate, this is pretty neat. LZ could manually force the stuck message through though. Although things would be stuck for a bit, it wouldn't be permanent. So, this was paid out as a medium instead of a critical as a result. To fix this issue, the relayer just needs to see if the SetConfig event UA matches the TX being submitted. An interesting part is that the test would have been necessary to perform on a testnet, since none of the off-chain infrastructure is open source. If somebody would have discovered this beforehand, then major damage could have been caused to LZ.
Analysis Summary
# Vulnerability: LayerZero Cross-Chain Message Blocking via Configuration Race Condition
## CVE Details
- **CVE ID:** Not Assigned (Identified via LayerZero Bug Bounty Program)
- **CVSS Score:** ~6.5 (Medium - Adjusted down from Critical due to manual recovery options)
- **CWE:** CWE-362 (Race Condition), CWE-863 (Incorrect Authorization)
## Affected Systems
- **Products:** LayerZero Cross-Chain Messaging Protocol
- **Versions:** UltraLightNodeV2 (specifically versions following the remediation of the "fee-bypass" bug in Nov 2023)
- **Configurations:** Any User Application (UA) relying on the default LayerZero relayer/infrastructure (e.g., Stargate).
## Vulnerability Description
The vulnerability was introduced as a flawed fix for a previous "fee-bypass" bug. To prevent users from changing configurations mid-transaction to avoid fees, LayerZero implemented a check in the off-chain relayer. This check monitored for an `AppConfigUpdated` event within the same transaction as a message send.
The flaw was that the relayer's verification logic failed to validate **which** UA triggered the configuration change. If any UA triggered a `setConfig` event in a transaction, the relayer would refuse to process *all* messages in that transaction, even those from unrelated, legitimate UAs (like Stargate). Because LayerZero uses a sequential nonce for messages, dropping a single message blocks all subsequent messages for that UA, effectively "bricking" the message flow.
## Exploitation
- **Status:** PoC identified by researcher (Heuss); reported and fixed.
- **Complexity:** Medium (Requires understanding of off-chain relayer behavior and transaction bundling).
- **Attack Vector:** Network (On-chain transaction).
## Impact
- **Confidentiality:** None
- **Integrity:** Medium (Alters the intended state of message delivery queues).
- **Availability:** High (Can temporarily stall cross-chain communication for major protocols like Stargate until manual intervention occurs).
## Remediation
### Patches
- The LayerZero team updated the off-chain relayer logic to ensure that the `AppConfigUpdated` event is strictly tied to the specific UA address associated with the message being processed.
### Workarounds
- **Manual Intervention:** LayerZero Labs retains the ability to manually force a stuck message through the protocol to clear the nonce and unblock the queue.
## Detection
- **Indicators of Compromise:** Multiple `AppConfigUpdated` events appearing in the same block or transaction as high-volume UA messages (e.g., Stargate `send` calls) followed by a halt in destination chain message execution.
- **Detection Methods:** Monitoring the `Packet` event nonces for gaps that do not resolve within the expected block confirmation window.
## References
- LayerZero Labs Vulnerability Report: [https://medium.com/@Heuss/layerzeros-cross-chain-messaging-vulnerability-e5ef48c5ccec](https://medium.com/@Heuss/layerzeros-cross-chain-messaging-vulnerability-e5ef48c5ccec)
- Blockian (Initial Bug Context): [https://medium.com/@blockian/blackboxing-layerzero-labs-off-chain-relayer-954aecab0f62](https://medium.com/@blockian/blackboxing-layerzero-labs-off-chain-relayer-954aecab0f62)
- LayerZero Documentation: [https://layerzero.gitbook.io/docs/faq/glossary](https://layerzero.gitbook.io/docs/faq/glossary)