Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>LayerZero OApp & OFT>Discussion>Cautions for developers
GeneralOverview
DiscussionCautions for developers
Audit ResultsAssessment Results

Cautions for developers

OApp developers

It is important that OApp developers consider the following:

  • Only override _lzReceive — not lzReceive. Note that overriding _lzReceive (i.e., not lzReceive) would not impact functionality (i.e., it would still pass tests) and would produce no warning but would skip the following critical security checks:

    • require(address(endpoint) == msg.sender, "OApp: endpoint only");

    • assertRemoteAddress(_srcEid, _srcAddress);

    • _acceptNonce(_srcEid, _srcAddress, _nonce);

  • Messages are not ordered by default. Delivery of messages is ordered, but execution is not.

OFT developers

It is important that OFT developers consider the following:

  • Truncation of dust. The amounts being transferred cross-chain are truncated to the SharedDecimals amount of six. This means there may be dust left over after transfers that will not be transferable cross-chain.

Zellic © 2025Back to top ↑