ZetaChain Dismissed Bug Report Before $334K Cross-Chain Exploit
ZetaChain lost $334,000 after an attacker chained three design flaws in its gateway contract, despite the vulnerability having been flagged through its bug bounty program and dismissed as intended behavior. The incident prompted a review of bug handling and a patch disabling the arbitrary call function.
Quick Take
ZetaChain lost $334K in cross-chain exploit across Ethereum, Arbitrum, Base, and BSC.
The attacker prepared for days using Tornado Cash and an address poisoning campaign.
A bug bounty report highlighting the vulnerability was ignored before the attack.
The team is rolling out a patch and removing unlimited token approvals.
Market Impact Analysis
BearishExploit reveals vulnerability handling flaws in DeFi, potentially undermining confidence in cross-chain protocols, though impact is largely confined to ZetaChain.
Speculation Analysis
Key Takeaways
- ZetaChain lost $334,000 across four chains after an attacker exploited three design flaws in its cross-chain gateway.
- A bug bounty report flagged the vulnerability, but it was dismissed before the attack, prompting a review of the bounty process.
- The attacker premeditated the exploit, using Tornado Cash and an address poisoning campaign three days in advance.
- ZetaChain is permanently disabling arbitrary call functionality and switching to exact-amount token approvals to prevent recurrence.
What Happened
ZetaChain disclosed a $334,000 exploit across its cross-chain gateway on Sunday. The attacker moved funds from protocol-controlled wallets over nine transactions, spanning Ethereum, Arbitrum, Base, and BSC. No user funds were affected. In its post-mortem, the team admitted a bug bounty report had previously flagged the vulnerability chain, but it was dismissed as intended behavior. The incident forced an immediate review of the bounty process and an accelerated patch to disable the offending functionality.
The Numbers
The attack moved $334,000 through nine transactions across four major blockchain networks. The attacker prepared for three days, funding wallets via Tornado Cash and deploying a custom drainer contract on ZetaChain. An address poisoning campaign was also used to obscure the trail. The bug bounty submission that could have averted the loss was ignored. Measures now being taken include permanently removing unlimited token approvals and disabling arbitrary cross-chain calls.
Why It Happened
Three design flaws combined to create the vulnerability. The gateway contract allowed anyone to send unrestricted cross-chain instructions. On the destination chain, it executed nearly any command, with a narrow blocklist that missed basic token transfers. Wallets that previously interacted with the gateway retained unlimited spending approvals that were never revoked. The attacker exploited all three, instructing the gateway to transfer tokens directly to their own wallet. The flaws, seemingly minor in isolation, became critical when chained together.
Broader Impact
The exploit highlights systemic risks in cross-chain protocol design and bug bounty handling. When valid reports are ignored, trust erodes not just in the affected project but in similar cross-chain systems. The incident could prompt other protocols to review their gateway contracts and bounty triage processes.
What to Watch Next
- ZetaChain’s patch deployment and whether the arbitrary call removal is completed without further issues.
- Any changes to the bug bounty program to better handle chained vulnerability reports.
- Wider industry scrutiny of cross-chain gateway designs and permission models.
This article is for informational purposes only and does not constitute financial advice.
Always late to trends?
Join for the latest news, insights & more.
Disclaimer: Bytewit is an independent media outlet that delivers news, research, and data.
© 2026 Bytewit. All Rights Reserved. This article is for informational purposes only.
