Across Protocol co-founder Hart Lambur proposed permanently capping the supply of ACX tokens to one billion late Monday following criticism from LayerZero Labs CEO Bryan Pellegrino. The proposal, if approved by the Across community, would also renounce Across Governance’s ownership over the ACX token and set it to 0x0 — preventing any future changes to the token supply via minting or burning.
Earlier, Pellegrino had flagged what he described as a “critical issue” with the Across token contract. However, this was met with pushback from the community, which suggested it was more of a transparency issue than a security flaw.
“You mistakenly exposed what was meant to be an internal private function written by OpenZeppelin in their ERC-20 token implementation, meant for burning tokens, and gave it to your contract owner — allowing you to take [burn] tokens out of any wallet at any point in time, arbitrarily rugging any account to zero,” Pellegrino said.
The interoperability protocol founder also alleged the Across Protocol and UMA Protocol contracts could infinitely mint tokens, suggesting that to fix the issue ownership should be transferred to an immutable smart contract that prevents minting beyond the total supply, disallows burning and cannot transfer ownership.
Across Protocol is a decentralized cross-chain bridge enabling the transfer of assets between Ethereum and Layer 2 networks. UMA Protocol is a decentralized platform that allows users to create synthetic assets and financial contracts on Ethereum using self-enforcing smart contracts. Lambur is also a co-founder of UMA Protocol.
'Disingenuous FUD and fear-mongering'
Lambur initially dismissed Pellegrino’s allegations as “disingenuous FUD and fear-mongering,” stating its contracts are secure and audited by OpenZeppelin. Jota Carpanelli, head of security at OpenZeppelin, also addressed the claim. Carpanelli explained that the mint and burn functions were controlled by a Safe (formerly Gnosis Safe) multi-sig wallet and functioned as intended, adding that it didn’t see this as a critical issue.
“Are you joking? Do you not understand how to read code? An audit is not a defense against an issue,” Pellegrino replied to Lambur. “I'll tell you what, let's bet your highest bug bounty tier ($1,000,000). When you realize you're wrong, donate it back to the community. Or you can literally just run it and verify yourself.”
Lambur later acknowledged that while Pellegrino had inaccurately labeled its ERC-20 implementation as having a critical vulnerability in his opinion, the “design choice was wrong,” adding that the proposal had been put forward in the “spirit of decentralization and transparency.”
“If it was a critical vulnerability I would have never publicly posted it publicly/on Twitter and would have done proper disclosure privately,” Pellegrino responded to another community member on X. “It's a permissioned function controlled by their team, can argue semantics of 'critical issue' or not but I would guess 99% of their users are unaware that they can have their tokens deleted.”
The current non-binding temperature check vote on the proposal, allowing the community to gauge sentiment before making a formal decision, shows 99.5% favor the supply cap.
ACX is down around 4% following the accusations at $0.28, according to CoinGecko data.
The Block reached out to Lambur and Pellegrino for comment.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.