ZetaChain Bug Report Dismissed Before $334K Cross-Chain Exploit

A critical vulnerability in ZetaChain that later led to a $334,000 exploit had been reported earlier through its bug bounty program but was dismissed as intended functionality, according to the project’s post-mortem. The incident has triggered a review of how complex security reports are evaluated, especially those involving multiple chained weaknesses.

Multi-Chain Exploit Targeted Gateway Contract

The attack drained around $334,000 from ZetaChain controlled wallets across nine transactions on four blockchains, including Ethereum, Arbitrum, Base, and BNB Smart Chain. No user funds were affected.

The exploit worked by combining three issues: unrestricted cross-chain instructions, overly permissive execution of contract commands with a weak blocklist, and previously granted unlimited wallet approvals that were never revoked. Together, these allowed attackers to transfer tokens from connected wallets into their own.

Pre-Planned Attack and Security Response

The attacker reportedly funded their wallet via Tornado Cash, deployed a custom drainer contract, and conducted address poisoning before executing the exploit. ZetaChain has since patched the gateway by disabling arbitrary calls and replacing unlimited approvals with exact-amount permissions. The case has raised broader concerns about bug bounty evaluation standards and DeFi security practices.