LZMultiCall Protocol Drained of $142,000 in Arbitration Call Exploit on Ethereum

The LayerZero messaging ecosystem experienced a fresh security breach on February 7, 2026, as the LZMultiCall protocol fell victim to an arbitrary call vulnerability that siphoned approximately $142,000 in losses on the Ethereum network. The incident adds to a turbulent week for decentralized finance, with six separate attacks totaling roughly $3.8 million in losses between February 2 and February 8, according to blockchain security firm BlockSec.

The Exploit Mechanics

The LZMultiCall vulnerability centered on an arbitrary call flaw that allowed an attacker to manipulate the protocol’s execution flow. In essence, the contract failed to properly validate and sanitize the targets and calldata being passed through its multi-call execution path. This meant that an external caller could craft a malicious payload instructing the contract to invoke arbitrary functions on any external address — a classic arbitrary external call vulnerability.

The attacker constructed a transaction that directed the LZMultiCall contract to call an external router with carefully crafted calldata, effectively bypassing intended access controls. Because the contract did not enforce strict validation on the destination addresses or the function signatures being called, the exploit payload executed without triggering any internal safety checks. The result was a direct drainage of funds from the protocol’s liquidity pools to the attacker’s controlled address.

BlockSec noted that the incident was not caused by a flash loan attack or price manipulation. Instead, the root cause was purely a smart contract logic error — the protocol exposed a function path that should have been restricted to trusted callers or, at minimum, required validation of the calldata being forwarded.

Affected Systems

The attack was isolated to the LZMultiCall deployment on Ethereum. LayerZero’s core messaging protocol, which powers cross-chain communication for dozens of decentralized applications, was not directly compromised. However, the incident underscores the cascading risk inherent in composable DeFi infrastructure: a vulnerability in one auxiliary contract can expose user funds even when the underlying protocol remains secure.

The timing is notable. The LZMultiCall exploit occurred on the same day that South Korean exchange Bithumb accidentally distributed 620,000 Bitcoin — worth approximately $44 billion — to users during a promotional event. While the Bithumb incident was an operational error rather than a security breach, the convergence of events highlights a broader theme: whether through code vulnerabilities or human error, the crypto ecosystem continues to face significant reliability challenges. Bitcoin traded at approximately $69,282 and Ethereum at $2,091 on this date, according to CoinMarketCap data.

The Mitigation Strategy

In response to the LZMultiCall exploit, security researchers have recommended several immediate and long-term mitigation strategies for protocols implementing multi-call or batch execution patterns:

1. Calldata Validation: All user-supplied calldata must be validated against a whitelist of permitted function selectors and target addresses before execution. Blanket forwarding of arbitrary calldata to external routers is a known anti-pattern that has been exploited repeatedly in DeFi.

2. Access Control on Execution Paths: Functions that execute external calls should be restricted to trusted addresses — typically protocol-owned contracts or governance-approved executors. Making such paths permissionless invites exactly the type of attack seen here.

3. Circuit Breaker Mechanisms: Protocols should implement transaction-level limits on the value that can be moved in a single call, along with time-locked withdrawal mechanisms that give teams a window to detect and respond to anomalous outflows.

Lessons Learned

The LZMultiCall incident reinforces a critical lesson that the DeFi community has learned repeatedly: multi-call and batch execution patterns are inherently dangerous when combined with insufficient input validation. The pattern — accepting user-supplied calldata and forwarding it to external contracts — has been at the center of numerous high-profile exploits, from the Poly Network breach to the GYD Protocol incident just days earlier on February 3, which lost approximately $700,000 to a similar vulnerability.

For developers building cross-chain messaging infrastructure, the takeaway is clear: every external call path must be treated as a potential attack surface. Defense-in-depth — combining access control, input validation, and runtime monitoring — is not optional. It is the minimum standard for any protocol handling user funds.

User Action Required

Users who interacted with the LZMultiCall protocol on Ethereum should immediately revoke any outstanding token approvals granted to the compromised contract. This can be done through tools like Revoke.cash or Etherscan’s token approval checker. Additionally, users should monitor their wallets for any unauthorized transactions originating from contracts in the LayerZero ecosystem, as secondary exploits sometimes follow initial breaches. If you hold positions in any LayerZero-connected protocols, verify that the teams have confirmed their contracts are not affected by this specific vulnerability before resuming normal activity.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any cryptocurrency protocol.