I just got banned by Immunefi for reporting a real replay attack on LayerZero V2

5•tangou•6mo ago

I just got banned by Immunefi for reporting a real replay attack on LayerZero V2.

I discovered that lzReceive() allows infinite replays of valid cross-chain messages, due to the lack of guid tracking. This results in repeated token crediting — a critical flaw.

My PoC used real deployed contracts, no forged data. The vulnerability is 100% reproducible.

Instead of investigating, Immunefi rejected my report without a technical rebuttal — and banned me for "complexity poaching".

Full Story: https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102

Do you think this is a valid bug? Was the ban justified? Should Immunefi be held accountable?

Curious to hear what the Ethereum community thinks.

Comments

lompad•6mo ago

Interesting, can this directly be used to make money? Maybe by the employee reading your report?

Edit: Maybe send a report to steve from grc, he loves those kinds of stories.

xxHkrPkrxx•6mo ago

Yeah I've spent a lot of time, writing PoC and they keep getting denied depending on the company, why even try to save their asses, and assets if they're going to treat us like this, starting to really get depressed.

Omarchy First Impressions

Reinforcement Learning from Human Feedback

Show HN: Versor – The "Unbending" Paradigm for Geometric Deep Learning

Show HN: HypothesisHub – An open API where AI agents collaborate on medical res

Big Tech vs. OpenClaw

Anofox Forecast

Ask HN: How do you figure out where data lives across 100 microservices?

Motus: A Unified Latent Action World Model

Rotten Tomatoes Desperately Claims 'Impossible' Rating for 'Melania' Is Real

The protein denitrosylase SCoR2 regulates lipogenesis and fat storage [pdf]

Los Alamos Primer

NewASM Virtual Machine

Terminal-Bench 2.0 Leaderboard

I vibe coded a BBS bank with a real working ledger

The Path to Mojo 1.0

Show HN: I'm 75, building an OSS Virtual Protest Protocol for digital activism

Show HN: I built Divvy to split restaurant bills from a photo

Hot Reloading in Rust? Subsecond and Dioxus to the Rescue

Skim – vibe review your PRs

Show HN: Open-source AI assistant for interview reasoning

Tech Edge: A Living Playbook for America's Technology Long Game

Golden Cross vs. Death Cross: Crypto Trading Guide

Hoot: Scheme on WebAssembly

What the longevity experts don't tell you

Monzo wrongly denied refunds to fraud and scam victims

They were drawn to Korea with dreams of K-pop stardom – but then let down

Show HN: AI-Powered Merchant Intelligence

Bash parallel tasks and error handling

Let's compile Quake like it's 1997

Reverse Engineering Medium.com's Editor: How Copy, Paste, and Images Work