我刚刚因为报告了LayerZero V2上的真实重放攻击而被Immunefi禁用了。
我刚刚被Immunefi禁言,因为我报告了LayerZero V2上的一个真实重放攻击。
我发现lzReceive()允许对有效的跨链消息进行无限重放,这是由于缺乏GUID跟踪。这导致了代币的重复记账——这是一个严重的漏洞。
我的概念验证使用了真实部署的合约,没有伪造数据。这个漏洞是100%可重现的。
Immunefi没有进行调查,而是拒绝了我的报告,且没有提供技术反驳——并以“复杂性抢夺”将我禁言。
完整故事请见:https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102
你认为这是一个有效的漏洞吗?这个禁言是否合理?Immunefi应该承担责任吗?
我很想听听以太坊社区的看法。
查看原文
I just got banned by Immunefi for reporting a real replay attack on LayerZero V2.<p>I discovered that lzReceive() allows infinite replays of valid cross-chain messages, due to the lack of guid tracking. This results in repeated token crediting — a critical flaw.<p>My PoC used real deployed contracts, no forged data. The vulnerability is 100% reproducible.<p>Instead of investigating, Immunefi rejected my report without a technical rebuttal — and banned me for "complexity poaching".<p>Full Story: https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102<p>Do you think this is a valid bug? Was the ban justified? Should Immunefi be held accountable?<p>Curious to hear what the Ethereum community thinks.