BREAKINGVERIFIEDBy Xavier Rivera· ·1 min read
ZetaChain Dismissed Bug Report Before $334K Exploit
ZetaChain dismissed a bug bounty report on a vulnerability that enabled a $334,000 exploit via its cross-chain gateway. The incident prompts a review of bug bounty processes and includes a patch rollout.
Source:CoinTelegraph
TL;DRAI · 60 sec read
ZetaChain's vulnerability behind a $334,000 exploit was reported through its bug bounty program before the attack but dismissed as intended behavior.
The team published a post-mortem on Wednesday detailing the Sunday incident, which targeted its cross-chain gateway contract. The exploit drained funds across nine transactions on four chains—Ethereum, Arbitrum, Base, and BSC—from ZetaChain-controlled wallets. No user funds were affected.
ZetaChain attributes the attack to three design flaws: the gateway allowed arbitrary cross-chain instructions without restrictions; it executed nearly any command on any contract due to a narrow blocklist missing basic token transfers; and wallets retained unlimited spending permissions from prior use.
The post-mortem describes a premeditated attack. The attacker funded their wallet via Tornado Cash three days prior, deployed a drainer contract on ZetaChain, and conducted address poisoning via dust transfers.
ZetaChain now reviews bug bounty submissions, especially chained attack vectors. A patch disables arbitrary call functionality on mainnet nodes, and deposit flows replace unlimited approvals with exact-amount ones.
The team published a post-mortem on Wednesday detailing the Sunday incident, which targeted its cross-chain gateway contract. The exploit drained funds across nine transactions on four chains—Ethereum, Arbitrum, Base, and BSC—from ZetaChain-controlled wallets. No user funds were affected.
ZetaChain attributes the attack to three design flaws: the gateway allowed arbitrary cross-chain instructions without restrictions; it executed nearly any command on any contract due to a narrow blocklist missing basic token transfers; and wallets retained unlimited spending permissions from prior use.
The post-mortem describes a premeditated attack. The attacker funded their wallet via Tornado Cash three days prior, deployed a drainer contract on ZetaChain, and conducted address poisoning via dust transfers.
ZetaChain now reviews bug bounty submissions, especially chained attack vectors. A patch disables arbitrary call functionality on mainnet nodes, and deposit flows replace unlimited approvals with exact-amount ones.
HELP US IMPROVE
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.