Here is a very high-level review of LayerZero's security.
TL;DR - Why 2/5?
- The tech is being used, and it delivers a good user experience.
- The tech setup for dApps isn't secure or decentralized by default.
- The token launch will be successful.
This is my first review, so please don't dislike me for it being a negative one (I promise to write positive ones as well), but LayerZero just launched an update, and I thought it would be a good opportunity to write this. I was one of the first 100 people in Stargate's Telegram group chat, so I've been following this project since mid-2021.
The fact that relayers and oracles have been able to collude has worried me a lot over the past years and has given me a lack of trust in the prioritization at LayerZero. What they've been saying about their architecture is almost the same as saying that something running on a single server is censorship-resistant because anyone can run the same script on their server. It is quite a surprise that no serious hack has happened yet.
A bit about the latest update from LayerZero - For me, as a true believer in decentralization, it hurts me to see Bryan Pellegrino opening up the latest update update video with, “We care deeply about permissionlessness, about censorship resistance, and about having contracts being immutable, and those used to be very popular things. They don’t seem to be that popular anymore.”
If we jump into the LayerZero V2 design, I am not sure it is any different tbh.
"With the V2 design, applications have complete control over security.
Applications may modify, combine, or remove DVNs however they deem necessary. This allows applications to improve security as new verification methods enter the market or reconfigure DVNs if risks arise."
If an application has full control over security, how is this any different from running a centralized application? How do we ensure that it is censorship-resistant? How is this any different from the earlier setup?
As a retail user, this obviously creates a lot of problems; you'll have to know the exact configuration of the dApp's security to know whether or not you can trust the dApp. And even if the initial setup looks good, you have to trust that they won't change the configuration retroactively.
With this being said. I do believe LayerZero will do well when it comes to token launch. I have been chasing the airdrop. I just think there are better technologies out there. Show Less