The ZetaChain vulnerability was reported in advance by white hats but was ignored, ultimately leading to a $334,000 attack incident

By: rootdata|2026/04/29 11:53:23

The cross-chain protocol ZetaChain disclosed that the security issues involved in its recent approximately $334,000 vulnerability attack event had been reported in advance by researchers in the bug bounty program but were deemed "expected behavior" by the project team at that time and were not addressed.

According to the official incident review, this attack originated from a combination of three design flaws that initially seemed independent and low-risk: the Gateway contract allowed anyone to send any cross-chain instructions; the receiving end could execute calls on almost any contract, and the blacklist restrictions were too narrow; some wallets retained unlimited approval for an extended period without being cleared. The attacker ultimately combined these flaws to instruct the Gateway to transfer tokens directly to their controlled address, thereby completing the asset transfer.

ZetaChain stated that this attack involved 9 transactions across four chains: Ethereum, Arbitrum, Base, and BSC, with the stolen funds all coming from wallets controlled by ZetaChain, and user funds were not affected. The official noted that the attack showed clear premeditation. The attacker funded their wallet through Tornado Cash three days before the attack and deployed a dedicated Drainer contract in advance, while also implementing an address poisoning attack. Currently, ZetaChain has begun pushing repair patches to the mainnet nodes, permanently disabling the arbitrary call function and changing the unlimited approval mechanism in the deposit process to "precise amount authorization."

-- Price

--

Disclaimer: This content is provided for general branding and informational purposes only and doesn't constitute financial, investment, legal, or tax advice. Any events, rewards, online events, or related information mentioned herein should not be considered a recommendation, solicitation, or invitation to purchase, sell, trade, or otherwise deal in any crypto assets or to use any services. Crypto assets are highly volatile and may result in loss. WEEX services and online events may not be available in all regions and are subject to applicable laws, regulations, and eligibility requirements. You are responsible for ensuring that your use of WEEX services complies with local laws and for carefully assessing the risks before participating in any crypto-related activities.

You may also like

Contents

Latest articles

More

Latest coin listings on WEEX

iconiconiconiconiconiconicon
Customer Support:@weikecs
Business Cooperation:@weikecs
Quant Trading & MM:bd@weex.com
VIP Program:support@weex.com