ZetaChain Vulnerability Reported by White Hat but Ignored, Leading to $334,000 Attack

On April 29, cross-chain protocol ZetaChain disclosed that the security issue involved in its recent approximately $334,000 vulnerability attack had been reported in advance by a researcher through its bug bounty program, but was dismissed by the project team as ‘expected behavior’ at the time. According to the official incident review, the attack stemmed from a combination of three design flaws that initially appeared independent and low-risk: the Gateway contract allowed anyone to send arbitrary cross-chain instructions; the receiving end could execute calls on almost any contract, with overly narrow blacklist restrictions; and some wallets retained unlimited approvals that were not cleared. The attacker ultimately exploited these flaws to instruct the Gateway to transfer tokens directly to an address under their control, completing the asset transfer. ZetaChain stated that the attack involved nine transactions across four chains: Ethereum, Arbitrum, Base, and BSC, with the stolen funds all originating from wallets controlled by ZetaChain, and user funds were unaffected. The official report indicated that the attack was clearly premeditated. The attacker funded their wallet through Tornado Cash three days before the attack, deployed a dedicated Drainer contract in advance, and also executed an address poisoning attack. ZetaChain has begun pushing out a patch to mainnet nodes, permanently disabling the arbitrary call feature and changing the unlimited approval mechanism in the deposit process to ‘exact amount authorization.’