I just got banned by Immunefi for reporting a real replay attack on LayerZero V2

5•tangou•6mo ago

I just got banned by Immunefi for reporting a real replay attack on LayerZero V2.

I discovered that lzReceive() allows infinite replays of valid cross-chain messages, due to the lack of guid tracking. This results in repeated token crediting — a critical flaw.

My PoC used real deployed contracts, no forged data. The vulnerability is 100% reproducible.

Instead of investigating, Immunefi rejected my report without a technical rebuttal — and banned me for "complexity poaching".

Full Story: https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102

Do you think this is a valid bug? Was the ban justified? Should Immunefi be held accountable?

Curious to hear what the Ethereum community thinks.

Comments

lompad•6mo ago

Interesting, can this directly be used to make money? Maybe by the employee reading your report?

Edit: Maybe send a report to steve from grc, he loves those kinds of stories.

xxHkrPkrxx•6mo ago

Yeah I've spent a lot of time, writing PoC and they keep getting denied depending on the company, why even try to save their asses, and assets if they're going to treat us like this, starting to really get depressed.

Neomacs: GPU-accelerated Emacs with inline video, WebKit, and terminal via wgpu

Show HN: Moli P2P – An ephemeral, serverless image gallery (Rust and WebRTC)

How I grow my X presence?

What's the cost of the most expensive Super Bowl ad slot?

What if you just did a startup instead?

Hacking up your own shell completion (2020)

Show HN: Gorse 0.5 – Open-source recommender system with visual workflow editor

GLM-OCR: Accurate × Fast × Comprehensive

Local Agent Bench: Test 11 small LLMs on tool-calling judgment, on CPU, no GPU

Show HN: AboutMyProject – A public log for developer proof-of-work

Expertise, AI and Work of Future [video]

So Long to Cheap Books You Could Fit in Your Pocket

PID Controller

SpaceX Rocket Generates 100GW of Power, or 20% of US Electricity

Kubernetes MCP Server

I Built a Movie Recommendation Agent to Solve Movie Nights with My Wife

What were the first animals? The fierce sponge–jelly battle that just won't end

Sidestepping Evaluation Awareness and Anticipating Misalignment

OldMapsOnline

What It's Like to Be a Worm

Don't go to physics grad school and other cautionary tales

Lawyer sets new standard for abuse of AI; judge tosses case

AI anxiety batters software execs, costing them combined $62B: report

Bogus Pipeline

Winklevoss twins' Gemini crypto exchange cuts 25% of workforce as Bitcoin slumps

How AI Is Reshaping Human Reasoning and the Rise of Cognitive Surrender

Cycling in France

Ask HN: What breaks in cross-border healthcare coordination?

Show HN: Simple – a bytecode VM and language stack I built with AI

Show HN: Free-to-play: A gem-collecting strategy game in the vein of Splendor