LayerZero
About
LayerZero is an omnichain messaging protocol — a permissionless, open framework for securely moving data between blockchains. It provides immutable Endpoint contracts deployed on each connected chain, append-only Message Libraries for extrinsic security, and fully configurable Security Stacks (DVNs + Executors) that each Omnichain Application (OApp) owns exclusively. Built for developers of crosschain dApps, asset issuers, and enterprises, LayerZero enables universal cross-chain interoperability with modular, application-specific security.
Where Does Yield Come From?
LayerZero is a system for moving data between blockchains — it is not a DeFi yield protocol, meaning it does not collect user funds to generate returns. Instead, its economic activity comes from transaction fees that pay the people and machines running the network's infrastructure.
Three groups earn these fees:
-
Verifiers (DVNs) — These are independent operators that check and confirm messages as they travel between blockchains. Each app built on LayerZero chooses which verifiers it wants to use, and pays them fees based on how many verifiers it picks and what type they are.
-
Executors — These operators watch for messages on the source blockchain and then submit the delivery transaction on the destination blockchain. They earn fees for this work.
-
Gas costs — Before a message can be delivered, the protocol pre-purchases gas (the fee needed to process a transaction) on the destination chain. The cost is calculated by a formula that accounts for gas units, destination gas price, and the relative token prices between chains.
Users can pay these fees in the source chain's native token or in LayerZero's own utility token (LZ).
A separate product called Stargate Finance — built on top of LayerZero — lets users supply assets into shared cross-chain pools and earn fees from transfers. But that is a distinct service, not part of LayerZero itself.
LayerZero's core documentation does not define any staking rewards, token emission schedules, or liquidity mining programs.
Persons
Ryan Zarick
Co-founder and CTO
Thomas Kim
VP of Engineering, Zero
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Ackee Blockchain15-03-2022 |
| The audit concluded that LayerZero's Endpoint V1 code has no directly exploitable security vulnerabilities; the sole high-severity item is a trust-model consideration already acknowledged by the team, and all warnings are general recommendations rather than active threats. |
Certora30-06-2022 - 28-07-2022 |
| The Certora formal verification found zero security issues in the isolated Endpoint.sol contract, giving high confidence in the correctness of its internal logic under the stated assumptions; however, the report cautions that the integrated multi-contract system was not within scope, so residual cross-contract or systemic risks remain unaddressed. |
SlowMist21-02-2022 - 28-02-2022 |
| The audit found no critical, high, or medium severity issues; the three low-risk findings and three suggestions were largely acknowledged or fixed, and the code was not yet deployed, indicating a clean baseline for the Endpoint V1 contracts. |
| The audit found no critical or high-severity vulnerabilities, only one low and one informational finding, both of which were acknowledged and fixed by LayerZero Labs, reflecting strong code quality and security maturity in the LayerZero Core contracts. | |
Zokyo22-10-2021 |
| The Zokyo audit report for LayerZero Endpoint V1 (dated 22 October 2021) is inaccessible — only a Git LFS stub exists in the repository, and the underlying PDF binary cannot be located. No security assessment can be derived from this unavailable document. |
Ackee Blockchain11-03-2022 |
| No directly exploitable security threats were identified in the audited scope; the single High-severity finding (RLPDecode uint underflow) poses no risk under current usage and was acknowledged, and all other findings were either acknowledged or fixed, resulting in a clean security assessment for the proof-lib component. |
Zellic22-11-2022 |
| The patch review found no security issues; the change is a minor, low-risk compatibility update for dappRadar's legacy nonce handling. |
Blockian13-12-2023 |
| The audit found no critical or high-severity vulnerabilities, with the three medium-severity issues primarily concerning operational edge cases rather than direct fund loss; the protocol's safety posture is strong for these contracts, though the migration and overlap risks require careful sequencing as acknowledged by the team. |
Zugzwang LLC (Christoph Michel)13-12-2023 |
| The audit found one high-severity architectural concern (executor-trusted message options) that the team accepted as by design, while the two medium issues included one that was fixed; no critical vulnerabilities were identified in the core Endpoint V2 contracts, though residual risks around executor trust and default library upgradeability remain. |
Certora02-08-2023 - 06-09-2023 |
| Certora's formal verification and manual review identified several denial-of-service and design issues in LayerZero EndpointV2, with two high-severity findings fixed and the remainder largely acknowledged or addressed by existing OApp-level mitigations, leaving residual governance and race-condition risks that protocol integrators should carefully manage. |
OtterSec14-07-2023 - 03-08-2023 |
| The OtterSec audit identified three medium-severity vulnerabilities involving fund theft and signature replay, all resolved by the LayerZero team, along with one low-severity centralization risk and six informational recommendations, leaving no critical or high-severity issues in the codebase at the time of review. |
Paladin Blockchain Security15-12-2023 |
| The audit found no critical or high-severity vulnerabilities, and all three medium-severity issues were resolved by the LayerZero team during the engagement. The protocol's security posture depends heavily on correct library configuration and governance integrity, which the report documents as explicit trust assumptions. |
Josip Koncurat (windhustler)15-12-2023 |
| The audit found no critical or high-severity vulnerabilities and only three low-severity issues (all related to DoS vectors acknowledged as application-level concerns) plus three informational recommendations, indicating that the core LayerZero V2 protocol contracts are well-architected from a security standpoint. |
Zellic26-07-2023 - 13-12-2023 |
| The audit uncovered a critical message-forgery vulnerability that was remediated before deployment, along with several medium- and low-severity issues that were mostly fixed, making the core Endpoint V2 contracts reasonably safe for deployment assuming OApp developers follow recommended secure configurations. |
OtterSec05-02-2026 |
| The single medium-severity access control vulnerability was patched before publication, and the remaining code maturity suggestions are low risk; the audit thus indicates no unresolved critical or high-severity issues in the assessed scope. |
Paladin Blockchain Security05-02-2026 |
| The audit uncovered no High or Medium severity vulnerabilities, with all 4 Low-severity findings either resolved or acknowledged by the team, and the 4 Informational items accepted as noted design choices—indicating the EndpointV2Alt contracts present a reasonable security posture for deployment. |
OtterSec14-07-2023 - 25-08-2023 |
| The audit found no critical or high-severity flaws; the two medium issues (signature replay and incorrect replay protection) and the low centralization risk were all resolved by the project, indicating a satisfactory security posture for the VerifierNetwork component. |
Paladin Blockchain Security26-08-2025 |
| The audit found no high or critical vulnerabilities; the single medium-severity re-entrancy issue and all low-severity findings were resolved by the LayerZero team, making the Verifier Network contracts safe for deployment with the mitigations applied. |
Zellic25-08-2023 |
| Zellic found only two low-impact issues (centralization risk and cross-chain replay potential) in the VerifierNetwork contracts, with no critical or high-severity vulnerabilities; one finding was remediated, the other acknowledged but left unfixed, and the code was not deployed to mainnet at the time of assessment. |
Zellic10-03-2024 - 14-03-2024 |
| The two high-severity issues — arbitrary message forging via chain configuration and a modifiable CCIP router — were both acknowledged and remediated by LayerZero Labs, removing the most critical attack vectors identified in the DVN contracts. |
OtterSec (Otter Audits LLC)01-07-2025 - 03-07-2025 |
| This audit found no vulnerabilities with immediate security impact; the single informational suggestion relates to coding best practices in fee validation, context account consistency, and account writability flags, all of which are low-risk and straightforward to remediate. |
Pashov Audit Group15-05-2024 - 28-05-2024 |
| The audit identified one high-severity access-control issue and two medium-severity initialization/lifecycle flaws, all of which were resolved before deployment; the seven low-severity items were either resolved or acknowledged. Overall the findings were properly addressed, though the reliance on one-step authority transfers and the CPI scalability constraints remain as acknowledged design-level considerations. |
Halborn08-05-2024 - 24-05-2024 |
| The audit found no critical, high, or medium severity risks in LayerZero's Solana Endpoint V2, with only 2 low-severity and 2 informational findings that were all accepted or acknowledged by the team, reflecting a clean security posture overall. |
Zellic10-06-2024 - 19-07-2024 |
| All three findings (two high, one medium) were acknowledged and remediated by LayerZero Labs before mainnet deployment, and no critical issues were identified, reflecting a well-handled security assessment cycle. |
OtterSec20-05-2024 - 31-05-2024 |
| All five identified vulnerabilities were remediated before publication, making the audited codebase safe for deployment with respect to the findings; however, operators should note that the audit scope was limited to a specific commit and did not cover subsequent changes. |
OtterSec (Otter Audits LLC)26-08-2024 - 29-01-2025 |
| All 20 vulnerabilities were resolved before the report date, and the two critical findings (missing message verification and improper blocklist enforcement) were patched, meaning the protocol does not ship with unpatched critical or high-risk flaws identified in this engagement. |
Paladin Blockchain Security14-01-2025 |
| The audit identified several high-risk architectural concerns around LayerZero governance privilege escalation paths on Aptos, most of which were acknowledged or resolved; the codebase is generally well-structured for a complex cross-chain messaging layer, but residual design risks—particularly around governance centralization and approximate fee models—remain and should be monitored by OApps considering opting out of defaults. |
OtterSec (Otter Audits LLC)13-09-2025 - 09-10-2025 |
| All four findings were informational best-practice recommendations with no immediate security impact, and each was patched before the report was issued, meaning the audited codebase poses no residual critical or high-severity risk. |
Zellic30-09-2025 |
| The audit found one critical vulnerability (invalid ByteArray handling) that was resolved at the Cairo language level before deployment, and all other findings were acknowledged and fixed. Overall, the Starknet implementation faithfully translates the EVM protocol without major functional deviations, but the critical finding underscores the importance of thorough validation at Cairo's language boundary. |
| The audit found no critical or high-severity issues; the one medium and two low-risk vulnerabilities were all resolved in follow-up patches, and the general findings were either fixed or acknowledged, indicating the codebase was in a sound state upon completion. | |
Paladin Blockchain Security07-10-2025 |
| Paladin's diff-audit found no critical, high, or medium severity vulnerabilities in LayerZero's EndpointV2 on Sui, with all 7 low/informational findings acknowledged by the team, indicating a mature codebase where only minor residual governance-configuration risks remain. |
OtterSec22-10-2025 - 24-10-2025 |
| The audit identified no security vulnerabilities — the sole finding was an informational naming-convention suggestion (replace "sui" with "iota" in identifiers), which was already resolved. The IOTA LayerZero endpoint integration is sound from a security perspective. |
OtterSec (Otter Audits LLC)14-07-2023 - 25-08-2023 |
| The audit found no critical or high-severity vulnerabilities; the two medium-severity and one low-severity finding were all resolved, making the VerifierNetwork contracts safe for deployment with the applied patches. |
Paladin Blockchain Security26-08-2023 |
| The Paladin audit found no critical or high severity vulnerabilities in LayerZero's DVN contracts, and all medium and low severity issues were resolved before the report's publication, indicating a well-secured Verifier Network implementation. |
Zellic26-07-2023 - 22-08-2023 |
| The audit identified only two low-impact issues in the VerifierNetwork contracts, with one fixed (cross-chain replay) and one acknowledged (centralization of execute). The limited scope and low severity of findings suggest a well-structured codebase at the time of review. |
Zellic10-03-2024 - 14-03-2024 |
| The audit identified two high-impact message-forgery vectors arising from privileged admin capabilities, both of which were acknowledged and remediated by LayerZero Labs before deployment. |
OtterSec (Otter Audits LLC)20-11-2025 - 25-11-2025 |
| Both critical vulnerabilities were resolved in PR#88 before publication, eliminating the highest-risk attack paths; the remaining informational finding on optional message hash validation represents a prudent hardening opportunity but does not pose an immediate threat to the protocol. |
OtterSec15-09-2025 - 16-09-2025 |
| The audit identified no vulnerabilities with immediate security impact; the sole informational finding on missing validation was partially remediated and partially acknowledged, indicating a sound security posture for the eigen-dvn program at the time of review. |
Zellic25-09-2025 |
| The audit found no security vulnerabilities in the scoped EigenLayer DVN contracts, indicating the reviewed code at the specified commit was free of identified issues; however, as the report notes, a single assessment cannot guarantee the absence of all vulnerabilities. |
| The Zellic audit of LayerZero OApp and OFT contracts across two review cycles found no security vulnerabilities, reflecting a clean security posture for the scoped codebase at the reviewed commits. | |
Zellic12-05-2024 - 30-05-2024 |
| The audit found zero security vulnerabilities in the LayerZero OApp & OFT contracts, confirming the codebase was clean at the reviewed commit. Developers should heed the documented cautions regarding override patterns and cross-chain dust truncation to avoid introducing issues in downstream implementations. |
ChainSecurity30-01-2024 |
| The audit found no critical or high-severity vulnerabilities, and all medium/low findings were either code-corrected or acknowledged with documentation warnings, indicating a satisfactory security posture for OFT/OApp deployments provided developers heed the documented limitations on special ERC20 tokens and uint64 supply caps. |
Hexens28-10-2024 - 01-11-2024 |
| No critical or high-severity vulnerabilities were discovered; the only medium-severity finding and all low/informational issues were resolved or acknowledged, resulting in audited contracts that the auditor deemed secure and ready for deployment. |
Zellic17-12-2025 |
| The report is a limited-scope patch review confirming dependency updates for Solana example programs, but the findings table could not be extracted from the PDF, leaving severity counts unavailable. No exploitable findings were identified in the converted text. |
Zellic26-05-202528-05-202525-06-2025 |
| The audit found no vulnerabilities above informational severity in this example OApp, and both informational items were acknowledged by LayerZero Labs; for an example/template codebase this represents a clean result, though downstream developers should heed the ambiguity and front-running caveats when building production OApps. |
Zellic12-05-2024 - 30-05-2024 |
| No security vulnerabilities were identified across the audited LayerZero OApp & OFT contracts; the report contains only general development cautions rather than findings, indicating a clean security posture for the reviewed codebase at this revision. |
ChainSecurity09-12-2023 - 30-01-2024 |
| The ChainSecurity audit found one acknowledged medium-severity and three acknowledged low-severity open issues, with all other findings corrected during the engagement, concluding that the OFT/OApp codebase provides a satisfactory level of security when deployed as intended with standard ERC20 tokens and under the documented trust model. |
Halborn10-05-2024 - 24-05-2024 |
| The audit found no critical, high, or medium severity issues; the single Low-risk finding was risk-accepted and the three informational items were acknowledged, all with remediation applied, indicating a sound security posture for the OFT Solana deployment. |
OtterSec25-09-2024 |
| The audit identified only one low-severity vulnerability (incorrect dust removal) and two informational suggestions, all of which were remediated, indicating the Solana OFT v2 program is in a sound security posture with no residual critical, high, or medium issues. |
Pashov Audit Group12-09-2024 - 17-09-2024 |
| The audit found one medium-risk issue (mint decimal manipulation) and eleven low-risk findings, all acknowledged by the LayerZero team; no critical or high-severity vulnerabilities were identified, indicating a reasonable security posture for the Solana OFT V2 implementation. |
Hexens21-05-2024 - 23-05-2024 |
| The audit found no critical or high-severity vulnerabilities; the single medium-severity issue (unsynchronized limits) was acknowledged, and all other findings were addressed or accepted, resulting in a measured improvement to code quality and security. |
Hexens01-10-2024 - 04-10-2024 |
| The audit found no exploitable vulnerabilities across all material severity bands; the sole informational finding (gas optimization acknowledged) confirms the RateLimiter contract was secure at the time of review. |
Pashov Audit Group18-09-2024 - 19-09-2024 |
| The audit uncovered three low-severity issues, all of which were either resolved or acknowledged with documentation, and no critical or high-risk vulnerabilities were found, indicating that the core RateLimiter logic is sound for deployment. |
OtterSec (Otter Audits LLC)23-05-2025 |
| No critical vulnerabilities were found, and all identified vulnerabilities (1 high, 1 medium, 2 low) were resolved by the team. The audit confirms that no new vulnerabilities were introduced in the BAM OFT white-label version relative to the original Ethena OFT. |
Zellic19-05-2025 |
| The audit found no security vulnerabilities in the TON OFT diff changes; the sole informational finding was an import path casing issue already remediated by the team. The codebase presents low residual risk from this scope, as core cross-chain logic and security controls remained unchanged. |
Guardian19-01-2026 - 25-03-2026 |
| The audit found no critical or high severity issues, all medium and low findings were resolved, and Guardian assigned a Very High Confidence ranking, indicating the Console/Nexus OFT codebase is secure for deployment at the time of audit. |
OtterSec25-03-2026 |
| The audit found no critical or high-severity vulnerabilities; the single medium-severity overflow issue was remediated, and all three informational findings were either patched or acknowledged, indicating a solid security posture for the Console OFT adapter. |
| Zellic found no critical, high, or medium severity vulnerabilities, with only 3 low-severity and 7 informational issues—all acknowledged and most already remediated—indicating the scoped contracts have no major security blockers for deployment, though operators should remain mindful of documented edge cases around token deregistration and rate-limiter configuration. | |
Paladin Blockchain Security (Paladin)10-08-2024 |
| The audit found no critical, high, or medium severity vulnerabilities; the single low-severity concern about soulbound NFT bridging was acknowledged and documented, and all informational items were resolved. The ONFT721 contracts present a low risk profile for deployment. |
Paladin Blockchain Security25-10-2025 |
| The audit found no high or medium severity issues; all seven low-severity and informational findings were either resolved or acknowledged, indicating a reasonable security posture for the VaultComposer contracts at the time of review. |
Paladin Blockchain Security19-11-2025 |
| The audit found no high or medium severity vulnerabilities, with one low-severity issue resolved and one informational item acknowledged, indicating the OVault contracts present a low safety risk for LayerZero's integration. |
OtterSec (Otter Audits LLC)16-07-2025 |
| No exploitable vulnerabilities were identified; the single informational finding covers code maturity improvements that were mostly addressed or acknowledged, leaving no immediate security risks for the OVault system. |
Paladin Blockchain Security06-08-2025 |
| No high, medium, or low severity vulnerabilities were found in VaultComposerSync, and all four informational items were resolved, indicating a clean security posture for the audited scope. |
Paladin Blockchain Security18-06-2024 |
| The audit uncovered one critical High-severity pricing error that was resolved before deployment, and three Low-severity issues that were either fixed or acknowledged as acceptable design trade-offs, giving reasonable assurance for the ZRO Claim contracts. |
Pashov Audit Group15-06-2024 - 17-06-2024 |
| The audit found two critical issues (off-by-one denominator and stuck remote donations) that directly threatened fund integrity, alongside meaningful high and medium risks; all critical, high, and most medium findings were resolved, leaving only the stablecoin assumption and low-precision items acknowledged, which adequately de-risks the protocol for deployment. |
Hexens17-06-2024 - 18-06-2024 |
| Two critical-path High-severity findings (cross-chain slippage revert and missing LayerZero fees) were fixed before deployment, ensuring the core claim flow functions; however, four acknowledged Medium-severity issues—stale price assumptions, hardcoded valuations, and deployment rigidity—introduce residual design-level risks that the team should monitor or address proactively. |
Paladin Blockchain Security17-06-2024 |
| The audit identified no critical, high, or medium severity vulnerabilities, and all four low-severity issues were either resolved by the team or acknowledged with compensating controls, indicating that the airdrop contracts are reasonably secure for their intended use on both Aptos and Ethereum. |
Paladin Blockchain Security09-09-2025 |
| The audit reported zero High, Medium, or Low severity findings and only a single Informational typo that was resolved, indicating the VeDistributor contracts were in a strong security state at the time of review. |
Zellic05-09-2025 |
| The Zellic audit found zero vulnerabilities in the VeDistributor contracts, which is a clean result; however, the engagement was limited to 1.5 person-days by a single consultant, so the absence of findings should be considered alongside the narrow scope and brief review window. |
Zellic15-10-2024 - 21-10-2024 |
| The audit found no critical or high-severity issues, with only two low-impact and one informational finding (all acknowledged or fixed), indicating that LZ Read's core smart contracts were well-constructed and presented no material security concerns prior to deployment. |
Sec312-11-2024 |
| The audit found no critical or high-severity vulnerabilities; all nine issues were acknowledged and none required code changes, indicating the lzRead contracts posed low immediate risk at the time of review. |
OtterSec23-12-2025 - 24-12-2025 |
| The LZMulticall audit by OtterSec produced zero findings, indicating the contract passed review with no security vulnerabilities or informational issues identified. |
Paladin Blockchain Security14-01-2026 |
| No critical or high-severity vulnerabilities were identified; two low-severity issues were resolved and five informational items were acknowledged by design, reflecting a sound security posture for the LZMultiCall contracts at the time of assessment. |
UNH-IOL (University of New Hampshire Interoperability Labs)15-12-2025 - 13-01-2026 |
| No security vulnerabilities were found in the LZMulticall contracts; only two informational NatSpec issues and one gas optimization were identified, all acknowledged or resolved by LayerZero. The audit indicates the codebase presents minimal security risk for the reviewed scope. |
Paladin Blockchain Security21-04-2025 |
| The audit found no high or medium severity vulnerabilities, and all 9 low/informational findings were resolved, indicating a solid security posture for the HyperLiquid Composer contracts at the time of assessment. |
OtterSec (Otter Audits LLC)04-08-2025 |
| The audit found no critical, high, medium, or low-severity vulnerabilities; all four informational recommendations were either resolved or acknowledged by LayerZero, indicating the codebase was in sound security posture at the time of assessment. |
Paladin Blockchain Security15-11-2025 |
| No high or medium severity vulnerabilities were found, and all 9 issues (3 low, 6 informational) were resolved before finalization, indicating that the HyperLiquid FeeActivation contracts were thoroughly reviewed and remediated. |
OtterSec05-02-2026 |
| One medium-severity access control vulnerability was identified and resolved before delivery, with no critical or high-severity issues remaining open, indicating the audited contracts are safe for deployment after the applied fixes. |
Paladin Blockchain Security05-02-2026 |
| The audit found no High or Medium severity vulnerabilities, and two Low-severity items were resolved, indicating the EndpointV2Alt support contracts are broadly secure for deployment with only minor residual acknowledged issues. |
UNH Interoperability Labs (University of New Hampshire Interoperability Labs)21-01-2026 - 06-02-2026 |
| The UNH-IOL audit of LZEndpointDollar returned zero findings across all severity levels, indicating no security vulnerabilities were identified in the reviewed codebase within the audit's scope and time-boxed engagement. |
OtterSec (Otter Audits LLC)23-01-2026 - 27-01-2026 |
| The LZEndpointDollar audit by OtterSec found no vulnerabilities in the critical through low severity bands; the single informational suggestion (missing reentrancy guard on unwrap) was promptly fixed, indicating a well-scoped and secure codebase. |
OtterSec (Otter Audits LLC)16-02-2026 |
| The audit found no security vulnerabilities with immediate impact; the single informational recommendation (OFT blacklist) is a defense-in-depth suggestion that does not pose an active risk to deployed funds or protocol safety as assessed. |
Paladin Blockchain Security10-02-2026 |
| The TempoOFTWrapper audit by Paladin found no high or medium severity vulnerabilities; only three informational issues were identified, one of which was resolved. The contracts are low-risk for their intended use, though the acknowledged items warrant minor attention from integrators. |
Legal
Legal form
Limited company (private limited liability company — "Ltd.")
Registration jurisdiction
British Virgin Islands (stated governing law and arbitration seat in the Terms of Use; operator is LayerZero Labs Ltd.)
Status and notes
The operating entity is LayerZero Labs Ltd. as identified in the Terms of Use and Privacy Policy. A physical address is given in the Privacy Policy: Suite 2240, Tower Two, Times Square, 1 Matheson Street, Causeway Bay, Hong Kong. Legal documents — Terms of Use, Privacy Policy, and Cookie Policy — are all published and accessible on the site.