ZetaChain Dismissed Bug Report Before $334K Exploit

ZetaChain's vulnerability behind a $334,000 exploit was reported through its bug bounty program before the attack but dismissed as intended behavior.

The team published a post-mortem on Wednesday detailing the Sunday incident, which targeted its cross-chain gateway contract. The exploit drained funds across nine transactions on four chains—Ethereum, Arbitrum, Base, and BSC—from ZetaChain-controlled wallets. No user funds were affected.

ZetaChain attributes the attack to three design flaws: the gateway allowed arbitrary cross-chain instructions without restrictions; it executed nearly any command on any contract due to a narrow blocklist missing basic token transfers; and wallets retained unlimited spending permissions from prior use.

The post-mortem describes a premeditated attack. The attacker funded their wallet via Tornado Cash three days prior, deployed a drainer contract on ZetaChain, and conducted address poisoning via dust transfers.

ZetaChain now reviews bug bounty submissions, especially chained attack vectors. A patch disables arbitrary call functionality on mainnet nodes, and deposit flows replace unlimited approvals with exact-amount ones.