LayerZero is an omnichain interoperability protocol designed for lightweight message passing across chains. LayerZero provides authentic and guaranteed message delivery with configurable trustlessness. The protocol is implemented as a set of gas-efficient, non-upgradeable smart contracts. LayerZero Core refers to the core contracts behind the LayerZero omnichain network.
Zellic conducted an audit for LayerZero Labs from May 30th to June 3rd, 2022, on the scoped contracts and discovered 2 findings. This was a re-review of LayerZero core, specifically focusing UltraLightNodeV2. Fortunately, no critical issues were found. We applaud LayerZero Labs for their attention to detail and diligence in maintaining incredibly high code quality standards in the development of LayerZero Core.
Of the 2 findings, 1 was of low severity and 1 was informational in nature.
Zellic thoroughly reviewed the LayerZero Core codebase to find protocol-breaking bugs as defined by the documentation and any technical issues outlined in the Methodology section of this document. Specifically, taking into account LayerZero's threat model, we focused heavily on issues that would break core invariants like executing payloads without the agreement of both Oracle and Relayer, or executing them out of order, leading to desynchronization between source and destination chains.
Our general overview of the code is that it was very well-organized and structured. The code coverage is high and tests are included for the majority of the functions. The documentation was adequate, although it could be improved. The code was easy to comprehend, and in most cases, intuitive.