我因为向 Immunefi 报告了 LayerZero V2 上真实存在的重放攻击而被封禁。
3 分•作者: tangou•5 个月前
我因为向 Immunefi 报告了 LayerZero V2 上的真实重放攻击而被封禁。<p>我发现,由于缺乏 guid 追踪,lzReceive() 允许无限次重放有效的跨链消息。这导致了代币的重复发放——这是一个关键的漏洞。<p>我的 PoC 使用了真实部署的合约,没有伪造数据。该漏洞 100% 可复现。<p>Immunefi 没有进行调查,就拒绝了我的报告,也没有进行技术反驳——并且以“复杂性窃取”为由封禁了我。<p>完整故事:https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102<p>你认为这是一个有效的漏洞吗?这次封禁是合理的吗?Immunefi 应该为此负责吗?<p>很想听听以太坊社区的看法。
查看原文
I just got banned by Immunefi for reporting a real replay attack on LayerZero V2.<p>I discovered that lzReceive() allows infinite replays of valid cross-chain messages, due to the lack of guid tracking. This results in repeated token crediting — a critical flaw.<p>My PoC used real deployed contracts, no forged data. The vulnerability is 100% reproducible.<p>Instead of investigating, Immunefi rejected my report without a technical rebuttal — and banned me for "complexity poaching".<p>Full Story: https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102<p>Do you think this is a valid bug? Was the ban justified? Should Immunefi be held accountable?<p>Curious to hear what the Ethereum community thinks.