Zetachain experiences a $334k crypto attack, with the vulnerability stemming from an earlier bug bounty program.

CryptoWorld News reports that Zetachain recently fell victim to a coordinated attack, resulting in losses of approximately $334,000. The attackers targeted funds controlled by Zetachain’s protocols on Ethereum, Arbitrum, Base, and BNB Smart Chain. The vulnerability had previously been submitted via the project’s bug bounty program, but the team regarded it as normal behavior.

In its post-incident analysis, Zetachain said the attacker combined multiple design flaws, including unrestricted cross-chain instructions, overly broad smart contract execution permissions, and leftover unlimited token approvals from prior wallet interactions. The attacker also used Tornado Cash to pre-fund the wallet in advance. The incident drew widespread attention because the underlying vulnerability had been identified earlier but was overlooked by the team.

Zetachain stated that the attack was not caused by a single catastrophic flaw, but by several small design issues combining to become dangerous. To address the incident, Zetachain began rolling out security fixes: it permanently disabled the arbitrary call functionality for mainnet nodes and redesigned the token approval process so that future deposits will use approvals for precise amounts rather than granting unlimited permissions.