Suspected LayerZero Executor Wallet Compromise Drains $2.1M Across Chains

fiverr
Ledger



A wallet used by LayerZero’s Executor service may have been compromised, with roughly $2.1 million removed across several networks and consolidated on Ethereum.

itrust

The reported drain left the attacker holding about 955 ETH, valued near $1.78 million, and approximately $322,000 in USDC after the stolen assets were routed through Stargate and Relay. The transfers point to a cross-chain fund-consolidation operation rather than a new verified-message exploit, while the source of the wallet access remains unconfirmed.

The incident has not established that LayerZero’s messaging contracts, endpoints or Decentralized Verifier Networks were breached. The affected address appears tied to execution infrastructure that maintains native gas balances across supported chains so verified messages can be delivered on destination networks.

Executor Role Limits The Immediate Protocol Impact

LayerZero Executors automate the final delivery of cross-chain messages by calling lzReceive() or lzCompose() after a message has passed its configured verification process. Those endpoint functions are permissionless once verification is complete, allowing another executor or user to complete delivery if the designated service fails.

A compromise of an Executor funding wallet can expose the assets held by that wallet and interrupt automated delivery until balances or keys are replaced. It does not, by itself, allow an attacker to forge a cross-chain message or alter the verifier set.

LayerZero has described its Executor as a gas-abstraction and execution service with no role in deciding whether a message is valid. The company previously said an Executor failure would create a delivery or liveness issue, leaving users or another permissionless executor able to submit the verified transaction manually.

Stargate And Relay Route Stolen Assets

The attacker moved the stolen assets from several chains into Ethereum using two established cross-chain routes. Stargate supplies native-asset liquidity across LayerZero-connected networks, while Relay uses cross-chain intents and solvers to fill transfers on the destination chain before settling the origin-side order.

Use of either service does not indicate that Stargate or Relay was compromised. The protocols appear to have functioned as transfer routes after the assets had already left the suspected Executor wallets. No separate loss from their liquidity pools or contracts was identified in the initial fund trail.

The suspected wallet breach follows the KelpDAO incident, which exposed a different section of LayerZero’s infrastructure. That attack released about $292 million in rsETH after compromised RPC infrastructure fed false source-chain information into a single-verifier setup. The Executor delivered the message after it had already been accepted as verified.



Source link

Blockonomics

Be the first to comment

Leave a Reply

Your email address will not be published.


*