Story

I just got banned by Immunefi for reporting a real replay attack on LayerZero V2

tangou Friday, July 18, 2025

I just got banned by Immunefi for reporting a real replay attack on LayerZero V2.

I discovered that lzReceive() allows infinite replays of valid cross-chain messages, due to the lack of guid tracking. This results in repeated token crediting — a critical flaw.

My PoC used real deployed contracts, no forged data. The vulnerability is 100% reproducible.

Instead of investigating, Immunefi rejected my report without a technical rebuttal — and banned me for "complexity poaching".

Full Story: https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102

Do you think this is a valid bug? Was the ban justified? Should Immunefi be held accountable?

Curious to hear what the Ethereum community thinks.

5 1
Read on Hacker News Comments 1