L2BEAT Bridges is a work in progress. You might find incomplete research or inconsistent naming. Join our discord to suggest improvements!

Omnichain (LayerZero) logoOmnichain (LayerZero)

This page gathers Omnichain Tokens built on top of LayerZero AMB protocol that have a market cap over 100k USD.
The security parameters of each individual token must be individually assessed, and can be changed by the developers. Omnichain tokens are in the early stages of development, use at your own risk.
  • Total value locked
    $528.20 M2.24%
  • Destination
    Various
  • Validated by
    Third Party
  • Type
    Token Bridge
  • ...

    Detailed description

    This page gathers Omnichain Tokens built on top of LayerZero AMB protocol that have a market cap over 100k USD.

    Currently they are: STONE, STG, WAGMI, Wrapped EURA, Wrapped LINK, Wrapped USDC and Wrapped BOBA. Risk associated with using any of them varies, depending on the technological decisions made by the developers. LayerZero as a framework to build omnichain application does not provide any base security as applications can define their own security settings, however applications and tokens choosing the default security settings will leverage security provided by default Oracle, Relayer, Verification Library and Proof Library. Default settings are managed by LayerZero team.

    Risk summary
    This project includes unverified contracts. (CRITICAL)
    The security parameters of each individual token must be individually assessed, and can be changed by the developers. Omnichain tokens are in the early stages of development, use at your own risk.
    Technology

    Principle of operation

    Omnichain tokens are tokenized Token Bridges. Usually, one chain is designated as main and acts as an token escrow. In this case, transfers from the main chain are done using typical lock-mint model. Transfers between other (non-main) chains are made using burn-mint model. The implementation details may vary between each individual omnichain token and must be individually assessed.

    Oracles and Relayers

    Note: This section requires more research and might not present accurate information.

    Omnichain tokens are built on top of LayerZero protocol. LayerZero relies on Oracles to periodically submit source chain block hashes to the destination chain. Once block hash is submitted, Relayers can provide the proof for the transfers. The Oracle and Relayer used can be either default LayerZero contracts, or custom built by the token developers.

    • Users can be censored if oracles or relayers fail to facilitate the transfer (CRITICAL).

    • Funds can be stolen if oracles and relayers collude to submit fraudulent block hash and relay fraudulent transfer (CRITICAL).

    • Funds can be stolen if omnichain token owner changes Oracle/Relayer pair for their own (CRITICAL).

    1. LayerZero security model analysis
    Permissions

    The system uses the following set of permissioned addresses:

    Default Relayer 0x902F…089E

    Contract authorized to relay messages and - as a result - withdraw funds from the bridge.

    Used in:

    Project icon
    Default Oracles (2) 0xD56e…C7cc0x5a54…10B2

    Contracts that submit source chain block hashes to the destination chain.

    LayerZero Multisig 0xCDa8…4C92

    Contract authorize to update default security parameters (Relayer, Oracle, Libraries). Owner of the Endpoint and UltraLightNodeV2 contract. This is a Gnosis Safe with 2 / 5 threshold.

    Used in:

    Project icon
    Project icon

    Those are the participants of the LayerZero Multisig.

    Smart contracts
    Note: This section requires more research and might not present accurate information.

    The system consists of the following smart contracts:

    Contract used to submit source chain block hashes. One of the default Oracles. The source code of some implementations is not verified on Etherscan.

    Proxy used in:

    Project icon
    Google Cloud Oracle 0xD56e…C7cc

    Contract used to submit source chain block hashes. One of the default Oracles.

    Implementation used in:

    Project icon

    Contract used to provide the merkle proof for the transfers on source chains. The source code of some implementations is not verified on Etherscan.

    Proxy used in:

    Project icon
    Default LayerZero Inbound Proof Libraries 0x462F…B8590x0724…df89

    Contracts used to validate messages coming from source chains.

    Endpoint 0x66A7…d675

    Contract used for cross-chain messaging.

    Implementation used in:

    Project icon
    Project icon
    UltraLightNodeV2 0x4D73…78E2

    Default send and receive library.

    Implementation used in:

    Project icon
    Project icon
    TreasuryV2 0x3773…e34d

    Contract responsible for fee mechanism.

    Implementation used in:

    Project icon
    NonceContract 0x5B90…6068

    Value Locked is calculated based on these smart contracts and tokens:

    STONE Token 0x7122…bD3C
    STG Token 0xAf51…2Cd6
    WAGMI Token 0x92CC…3a67
    Wrapped EURA Token 0x4Fa7…F982
    Wrapped LINK Token 0xEe38…69de
    Wrapped USDC Token 0x4F52…EF3E
    Wrapped BOBA Token 0x1A36…3e55
    Wrapped BOBA Token 0xB000…c490
    Wrapped BOBA Token 0x6F53…2F41

    The current deployment carries some associated risks:

    • Funds can be stolen if the source code of unverified contracts contains malicious code (CRITICAL).

    • Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).

    • Funds can be stolen if the source code of unverified contracts contains malicious code (CRITICAL).

    Knowledge Nuggets