LayerZero CEO reveals vulnerabilities in Across token contract and provides solutions

ChainCatcher message, LayerZero CEO Bryan Pellegrino addressed the Across Protocol team on social media, stating, "I want to inform you that there is a critical issue with your token contract. You have incorrectly exposed a function that should have been an internal private function, which was written by Open Zeppelin in its ERC20 token implementation, designed to burn tokens, and granted it to the contract owner—this allows you to withdraw tokens from any wallet at any time and arbitrarily set any account's balance to 0.

Additionally, both your Across Protocol and UMA Protocol contracts have the ability to mint unlimited tokens, but I have already notified you of these two issues, and you seem unconcerned. To resolve this issue without needing to reissue tokens:

Transfer the contract ownership to a new smart contract to prevent the minting amount from exceeding the total supply and also disallow burning. Since this is a permanent vulnerability, the new contract must be immutable and should not include any functionality to transfer ownership. If you have an active bug bounty program, you can credit this information to the LayerZero team."