ZetaChain Admits Bug Bounty Oversight Following $334,000 Exploit

ZetaChain is reviewing its security protocols after a premeditated attack drained approximately $334,000 from wallets controlled by the platform. In a recent post-mortem, the project admitted that the vulnerability had been reported through its bug bounty program prior to the event but was incorrectly dismissed as intended behavior. The exploit targeted the protocol's cross-chain gateway contract, executing nine transactions across Ethereum, Arbitrum, Base, and BSC. The attacker utilized a sophisticated approach, funding their wallet via Tornado Cash and deploying a custom drainer contract three days before the attack, alongside an address poisoning campaign. According to the post-mortem, the breach resulted from a combination of three design flaws. These included the ability to send arbitrary cross-chain instructions without restrictions, a narrow blocklist that failed to restrict basic token transfers on the receiving end, and the persistence of unlimited spending permissions for previous gateway users. To prevent future occurrences, ZetaChain is deploying a patch to mainnet nodes to permanently disable arbitrary call functionality. Additionally, the platform is updating its deposit flow to replace unlimited token approvals with exact-amount approvals. The company stated that the incident has prompted a broader review of how it handles bug bounty submissions, particularly those involving chained attack vectors.