I discovered that lzReceive() allows infinite replays of valid cross-chain messages, due to the lack of guid tracking. This results in repeated token crediting — a critical flaw.
My PoC used real deployed contracts, no forged data. The vulnerability is 100% reproducible.
Instead of investigating, Immunefi rejected my report without a technical rebuttal — and banned me for "complexity poaching".
Full Story: https://medium.com/@tangouvitch/immunefi-banned-me-for-reporting-a-real-replay-attack-in-layerzero-v2-71d5ee0ff102
Do you think this is a valid bug? Was the ban justified? Should Immunefi be held accountable?
Curious to hear what the Ethereum community thinks.
Edit: Maybe send a report to steve from grc, he loves those kinds of stories.