Bryan Pellegrino, CEO of LayerZero, a cross-chain interoperability protocol, wrote to the Across Protocol team on social media, "I would like to inform you that there is a critical issue with your token contract. You mistakenly exposed a feature that was supposed to be an internal private function, written by Open Zeppelin in its ERC20 token implementation, to destroy the token and give it to the contract owner - which allows you to withdraw the token from any wallet at any time and make any account balance zero at any time. In addition, both your Across Protocol and UMA Protocol contracts have the ability to mint unlimited coins, but I have informed you of these two issues, and you don't seem to care. To solve this problem without the need to reissue the tokens: Transfer contract ownership to a new smart contract to prevent mintage from exceeding the total supply, and do not allow destruction. Since this is a permanent vulnerability, the new contract must be immutable and should not include any ability to transfer ownership. If you have an active bug bounty program, credit the LayerZero team for this information. "