LayerZero is an Omnichain Interoperability Protocol designed for lightweight message passing across chains. LayerZero provides authentic and guaranteed message delivery with configurable trustlessness. The protocol is implemented as a set of gas-efficient, non-upgradable smart contracts. LayerZero Core refers to the core contracts behind the LayerZero omnichain network.
Zellic conducted an audit for LayerZero Labs from April 4th to April 15th, 2022 on the scoped contracts and discovered 3 findings. Fortunately, no critical issues were found. We applaud LayerZero Labs for their attention to detail and diligence in maintaining incredibly high code quality standards in the development of LayerZero Core.
Of the 4 findings, 1 was high impact, and 1 was low impact. The remaining findings were informational in nature. Additionally, Zellic recorded its notes and observations from the audit for LayerZero Labs's benefit at the end of the document.
Zellic thoroughly reviewed the LayerZero Core codebase to find protocol-breaking bugs as defined by the documentation, or any technical issues outlined in the Methodology section of this document. Specifically, taking into account LayerZero's threat model, we focused heavily on issues that would break core invariants like executing payloads without the agreement of both Oracle and Relayer, or executing them out-of-order, leading to desynchronization between source and destination chains.
Our general overview of the code is that it was very well-organized and structured. The code coverage is high and tests are included for the majority of the functions. The documentation was adequate, although it could be improved. The code was easy to comprehend, and in most cases, intuitive.