ZetaChain discloses a vulnerability attack of approximately $334k, resulting from the stacking of three low-risk flaws: Gateway allowing arbitrary cross-chain commands, receiving end call permissions being too broad, and some wallets having long-term unlimited authorizations that were not cleaned up. The attacker transferred tokens into their controlled address in 9 transactions, with funds originating from the ZetaChain wallet, and user funds were not affected. The attack was premeditated, with funding via Tornado Cash and deployment of a Drainer contract three days ago. The issue has now been fixed, with arbitrary calls disabled and replaced with precise quota authorizations.

BlockBeatNews

2026-04-29 11:35:46

Abstract generation in progress

BlockBeats News, April 29 — Cross-chain protocol ZetaChain disclosed that its recent security incident involving approximately $334k in a vulnerability attack was reported in advance by researchers through the bug bounty program, but at the time was considered “expected behavior” by the project team and was not addressed. According to the official incident review, the attack originated from a combination of three seemingly independent and low-risk design flaws:

The Gateway contract allows anyone to send arbitrary cross-chain instructions;
The receiving end can almost execute calls on any contract, with overly narrow blacklist restrictions;
Some wallets have long retained unlimited approvals that have not been cleaned up.

The attacker ultimately combined these flaws to instruct the Gateway to transfer tokens directly to their control address, thereby completing the asset transfer. ZetaChain stated that the attack involved nine transactions across four chains: Ethereum, Arbitrum, Base, and BSC. The stolen funds all came from wallets controlled by ZetaChain, and user funds were not affected.

The official said the attack was clearly premeditated. The attacker funded the wallet via Tornado Cash three days before the attack, deployed a dedicated Drainer contract in advance, and also carried out an address poisoning attack.

Currently, ZetaChain has begun pushing patches to the mainnet nodes, permanently disabling the arbitrary call function, and has changed the unlimited approval mechanism in the deposit process to “precise approval.”

ZETA0.51%

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

Reward
like
Comment
Repost
Share

Comment

Add a comment

No comments

Trending Topics
View More
#
WCTCTradingKingPK
361.2K Popularity
#
CryptoMarketsDipSlightly
264.35K Popularity
#
DailyPolymarketHotspot
697.36K Popularity
#
StrategyAccumulates2xMiningRate
139.47M Popularity
#
TapAndPayWithGateCard
22.61K Popularity

Sitemap

ZetaChain vulnerability was reported in advance by white hats but ignored, ultimately leading to a $334k attack incident.

Trending Topics

WCTCTradingKingPK

CryptoMarketsDipSlightly

DailyPolymarketHotspot

StrategyAccumulates2xMiningRate

TapAndPayWithGateCard

Pin