I just got banned by Immunefi for reporting a real replay attack on LayerZero V2
I just got banned by Immunefi for reporting a real replay attack on LayerZero V2.
I discovered that lzReceive() allows infinite replays of valid cross-chain messages, due to the lack of guid tracking. This results in repeated token crediting — a critical flaw.
My PoC used real deployed contracts, no forged data. The vulnerability is 100% reproducible.
Instead of investigating, Immunefi rejected my report without a technical rebuttal — and banned me for "complexity poaching".
Full Story: https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102
Do you think this is a valid bug? Was the ban justified? Should Immunefi be held accountable?
Curious to hear what the Ethereum community thinks.
Interesting, can this directly be used to make money? Maybe by the employee reading your report?
Edit: Maybe send a report to steve from grc, he loves those kinds of stories.