A security alert has flagged a possible compromise involving LayerZero EndpointV2 and forged cross-chain message delivery, raising immediate concern among DeFi protocols that rely on LayerZero v2 infrastructure. The warning, attributed to on-chain monitor SafeNox, said an attacker spoofed a trusted message origin after pre-funding operations through Tornado Cash roughly 10 hours before the reported strike.
Protocols Urged to Review Trusted Paths
The alert centers on trusted message-origin spoofing, a failure mode in which a destination-chain application accepts a message that appears to come from an authorized source. If successful, this can trigger unauthorized actions in protocols that rely on the affected messaging route.
🚨 LayerZero EndpointV2 compromised. Attacker pre-funded via Tornado Cash ~10hrs before strike, spoofed a trusted message origin. If your protocol relies on LayerZero v2 messaging — pause withdrawals NOW and audit your trusted path configs.
— SafeNox (@SafeNox) June 22, 2026
LayerZero’s own documentation identifies EndpointV2 as the primary entry point for LayerZero v2 cross-chain communications, responsible for coordinating message sending, receiving and configuration management between connected applications. That makes any reported issue involving EndpointV2 especially sensitive for protocols using LayerZero pathways.
The practical concern for DeFi operators is configuration risk. LayerZero documentation warns that production deployments should use multiple required DVNs from independent operators, because a single-DVN setup can leave a pathway exposed if that verifier is compromised.
Security-focused guidance following the alert has therefore centered on pausing sensitive flows, reviewing DVN settings and validating trusted path configurations. For protocols with withdrawals, mints or bridge releases tied to LayerZero messages, the immediate priority is to confirm that message origins and verifier thresholds cannot be bypassed.
Official Scope Remains Unclear
The uncertainty matters because LayerZero’s earlier KelpDAO incident showed how a forged cross-chain message can produce severe losses when an application’s verifier configuration is too concentrated. In that case, LayerZero said the attack resulted in the release of 116,500 rsETH, worth approximately $292 million at the time, after compromised infrastructure produced a valid attestation for a forged message.
LayerZero also said after that incident that its DVN would refuse to sign as the sole required attestor on any channel it participates in. That mitigation is relevant context, channel it participates in. That mitigation is relevant context, but it does not independently confirm the current SafeNox alert as a new protocol-wide EndpointV2 vulnerability.
For now, the story should be treated as an active security warning requiring protocol-level verification, not a fully documented LayerZero post-mortem. The next decisive updates would be a direct LayerZero statement, affected-protocol disclosures, confirmed transaction hashes and a finalized assessment of whether the issue reflects an EndpointV2 flaw, a DVN configuration weakness or an application-specific trusted-path failure.