Full Report
Layer Zero is a cross-chain messaging protocol. The architecture is as follows: User Application (UA) calls endpoint. Endpoint emits an event on chain A. Off-chain infrastructure attests the message. Relayer sends the message through on chain B. UA receives the message on chain B. The application allows for configuraion of the relayer and the oracle per application. This seems that anyone can implement an off-chain relayer and use it themselves. The author had a question: "when does the LayerZero Labs Relayer stop listening to messages?" In the contract UltraLightNodeV2, the function send() handles the event emission process for a cross-chain message. Interestingly, the event does NOT emit the relayer address itself. This peaked the authors interest! If it's not in the event, then the LZ relayer must keep track of each User Application (UA) that it supports. This feels racy. Remember, there's no source for the off-chain infra! So, they started asking questions... what happens if a user changes their config? They submitted a PoC on chain where the Relayer and Oracle price submissions were 0 then changed the Oracle/Relayer back to the original LZ default. By diong this, the LZ relayer relayed the transaction without getting paid during the submission process. This means that you can use LZ for free and drain the funds from the LZ relayer wallet. Naturally, if these funds are drained then the other apps would no longer work. The smart contracts are open source but none of the off-chain code is. The author decided to black-box test some code to see how it would react. To me, this is interesting but crosses a important trust threshold. What if a malicious actor was looking at these transactions and then mimiced the exploit? Unlike web2, where your traffic is your own, doing live testing on-chain could lead to further issues.
Analysis Summary
# Vulnerability: LayerZero Off-Chain Relayer Fee Evasion
## CVE Details
- **CVE ID**: Not Assigned (Protocol-specific vulnerability)
- **CVSS Score**: Estimated 7.5 (High)
- **CWE**: CWE-362 (Race Condition), CWE-694 (Standard Deviation from Expected Behavior)
## Affected Systems
- **Products**: LayerZero Labs Off-chain Relayer Infrastructure
- **Versions**: Legacy UltraLightNodeV2 configurations prior to February 13, 2023.
- **Configurations**: User Applications (UA) utilizing the default LayerZero Labs Relayer and Oracle for cross-chain messaging.
## Vulnerability Description
The vulnerability stems from an inconsistency between on-chain event emissions and off-chain infrastructure tracking. In the `UltraLightNodeV2` contract, the `send()` function emits a `Packet` event that contains message data but excludes the specific address of the intended Relayer.
Because the Relayer address is not in the event, the off-chain Relayer must maintain an internal state of supported User Applications (UAs) and their configurations. A synchronization gap (race condition) exists when a UA changes its configuration. An attacker can execute a "sandwich" transaction that:
1. Temporarily changes the UA's Relayer/Oracle to a custom "zero-fee" version.
2. Sends the cross-chain message (paying 0 fees on-chain).
3. Reverts the config back to the original LayerZero defaults—all within the same transaction.
The off-chain Relayer, seeing the packet and noting the UA is "currently" active in its state, relays the message despite no fees being paid to its wallet during the emission process.
## Exploitation
- **Status**: PoC available/Executed for bug bounty.
- **Complexity**: Medium
- **Attack Vector**: Network (On-chain Transaction)
## Impact
- **Confidentiality**: None
- **Integrity**: Low (Financial integrity of the fee system is bypassed).
- **Availability**: High (Continuous exploitation would drain the Relayer’s gas funds on destination chains, causing all legitimate transactions for other applications to fail).
## Remediation
### Patches
- LayerZero Labs patched the off-chain Relayer logic on February 13, 2023, to ensure stricter validation of configurations at the time of event emission.
### Workarounds
- No manual workarounds are required for User Applications as the fix was implemented at the infrastructure provider level.
## Detection
- **Indicators of Compromise**: Cross-chain `Packet` events where the protocol fee or relayer fee is 0, yet the message is successfully delivered by the official LayerZero Relayer.
- **Detection Methods**: Monitoring for rapid successive `setConfig` calls that wrap a `send()` call within a single transaction hash.
## References
- **Vendor Website**: hxxps://layerzero[.]network/
- **Technical Writeup**: hxxps://medium[.]com/@blockian/blackboxing-layerzero-labs-off-chain-relayer-for-25-000-954aecab0f62
- **Documentation**: hxxps://layerzero[.]gitbook[.]io/docs/ecosystem/relayer