LayerZero CEO disclosed the vulnerability in the AcrossToken contract and provided a solution

BlockBeats News, on October 22nd, Bryan Pellegrino, CEO of Cross-Chain Interaction Protocol LayerZero, wrote a letter to the Across Protocol team on social media, stating, 'I want to inform you that your Token contract has a critical issue. You mistakenly exposed a functionality that was originally intended to be an internal private function, which was implemented by Open Zeppelin in their ERC20 Token implementation to destroy Tokens and give them to the contract owner - this allows you to withdraw Tokens from any wallet at any time and arbitrarily set the balance of any account to 0. In addition, your Across Protocol and UMA Protocol contracts both have the ability to mint an unlimited amount of Tokens, but I have already informed you about these two issues and you seem to not care. To address this problem without the need for token reissuance: transfer ownership of the contract to a new Smart Contract to prevent minting exceeding the total supply and disallow destruction. Since this is a permanent vulnerability, the new contract must be immutable and should not include any functionality to transfer ownership. If you have an active bug bounty program, you can attribute this information to the LayerZero team.'