Golden Finance reported that there is a key vulnerability in the cross-chain communication protocol LayerZero, which was discovered by Blockian, and user applications can manipulate Oracle and Relayer fees to enable them to send messages without incurring any costs, which mainly revolves around the fee calculation process in the sending function of the default LayerZero node UltraLightNodeV2.sol. UAs can configure their Oracle and Relaye to return custom malicious versions of zero fees, bypassing the cost calculation process altogether. It is reported that after the UA initiates the message sending process, it can set its Oracle and Relayer configurations to a custom free version, so the cost of the message is calculated to zero, and the result of this manipulation is that the user agent is able to send the message without incurring any fees. It is reported that the Layer Zero team has now quickly fixed the bug by having the relayer check which UA in the transaction called setConfig before blocking the message.