LayerZero engaged Ackee Blockchain to conduct security reviews of LayerZero protocol and Stargate Finance on a regular basis. The Ackee Blockchain security team has so far conducted 5 audits, several features of the LayerZero protocol are still under review and more are about to come. Here we publish the first results of our work.

LayerZero is an Omnichain Interoperability Protocol that provides authentic and guaranteed message delivery with configurable trustlessness. The protocol is implemented as a set of gas-efficient, non-upgradable smart contracts.

Currently, LayeZero supports Ethereum and EVM-compatible chains like: Avalanche, Polygon, BNB Chain, Fantom, Arbitrum, and Optimism.

layerzero

If you want to learn more about LayerZero please visit the LayerZero’s documentation here.

A summary of the audits and its findings follows up.

In this blog post, we’ll mention information about the following LayerZero audits:

First, let’s dive into LayerZero proof-lib Audit and LayerZero protocol Audit.

LayerZero proof-lib Audit was completed on 11.03.2022 by The Ackee Blockchain Security with a total time donation of 4 engineering days. Our security team found 1 medium severity issue and 3 low severity issues. All findings in audits were acknowledged or fixed by LayerZero development team. 

LayerZero protocol Stargate DAO / Voting Escrow Audit was completed on 29.03.2022 by The Ackee Blockchain Security with a total time donation of 6 engineering days. Our security team found 5 low severity issues and all of them were general recommendations rather than security issues. All findings in audits were acknowledged or fixed by LayerZero development team. 

 

Now let’s dive into a publicly accessible report. LayerZero protocol Audit was completed by The Ackee Blockchain Security on 15.03.2021 with a total time donation of 12 engineering days.

We aim for a gradual and diligent approach to auditing LayerZero protocol, and therefore our audit methodology consists of:

  1. Technical specification/documentation – a brief overview of the system is requested from the client, and the audit scope is defined.

  2. Tool-based analysis – deep check with automated Solidity analysis tools is performed.

  3. Manual code review is checked line by line for common vulnerabilities, code duplication, best practices, and the code architecture is reviewed.

  4. Local deployment + hacking – contracts are deployed locally, and we try to attack the system and break it.
  5. Unit testing – run unit tests to ensure that the system works as expected. Potentially we write  our unit tests for specific suspicious scenarios.

What were our findings?

The overall code quality was very good and the architecture was well designed. The protocol is well documented in the whitepaper, Gitbook documentation, and in the code.

The Ackee Blockchain Security Team found 1 medium severity issue and 8 low severity issue and all of them were general recommendations rather than security issues. All findings in audits were acknowledged, fixed by LayerZero development team except 3 low severity issues that have been descoped and they will be reviewed in different audits.

We are delighted to audit the LayerZero – Omnichain Interoperability Protocol. And we look forward to furthering cooperation.

LayerZero protocol Audit by Ackee Blockchain can be found here: 

LayerZero protocol x Ackee Blockchain audit.