ZetaChain Dismissed Bug Report That Could Have Prevented $334K Exploit | Crypto Security News
Crypto security news: ZetaChain Dismissed Bug Report That Could Have Prevented $334K Exploit. This update explains what happened, why it matters for wallets, exchanges, traders, and users, and what the market should watch next.
Crypto Security Update
The vulnerability that led to ZetaChain’s recent exploit had been flagged through its bug bounty program before the attack, but was dismissed as intended behavior.In a post-mortem published Wednesday, the team said the incident has prompted a review of how it handles bug bounty submissions, particularly reports involving chained attack vectors that may appear harmless in isolation but are dangerous in combination.“This bug was reported and they simply ignored it,” one user wrote on X. “That’s how bug bounty programs work with these protocols currently; they incentivize losses for the protocol, the TVL, and the user’s balance instead of paying the researcher for discovering and fixing the bug,” they added.ZetaChain lost approximately $334,000 to a premeditated exploit on Sunday that targeted its cross-chain gateway contract. The exploit drained funds across nine transactions on four chains, including Ethereum, Arbitrum, Base and BSC, all from ZetaChain-controlled wallets. No user funds were affected.Related: Crypto hackers stole $17B over past 10 years: DefiLlamaAttacker exploits small design flawsZetaChain said in its post-mortem that the attacker exploited three design flaws that, individually, might have seemed minor, but together opened the door to a full drain. First, the gateway allowed anyone to send arbitrary cross-chain instructions with no restrictions. Second, on the receiving end, it would execute almost any command on any contract, with a blocklist so narrow it missed basic token transfer functions.Third, wallets that had previously used the gateway had left unlimited spending permissions in place that were never cleaned up. By combining all three, the attacker simply told the gateway to transfer tokens from victim wallets to their own, and the gateway complied.Source: ZetaChain“This was not an opportunistic attack,” ZetaChain said in its post-mortem. The attacker funded their wallet through Tornado Cash three days before the exploit, deployed a purpose-built drainer contract on ZetaChain and ran an address poisoning campaign before seeding it into their transaction history via dust transfers.ZetaChain added that a patch permanently disabling the arbitrary call functionality is being rolled out to mainnet nodes. The platform also removed unlimited token approvals from its deposit flow, replacing them with exact-amount approvals going forward.Related: Ethical hacker intercepts $2.6M in Morpho Labs exploitAI DeFi exploit success rate increasesA new study by a16z tested whether an off-the-shelf AI agent could go beyond identifying DeFi vulnerabilities and actually produce working exploits. Using OpenAI’s Codex against a dataset of 20 real Ethereum price manipulation incidents, researchers ran the agent in a sandboxed environment with no access to future transaction data and no guidance on how the attacks worked. The agent succeeded in just 10% of cases.However, when researchers fed the agent structured knowledge about common attack patterns and exploit workflows, the success rate jumped to 70%.Magazine: How to fix suspected insider trading on Polymarket and KalshiCointelegraph is committed to independent, transparent journalism. This news article is produced in accordance with Cointelegraph’s Editorial Policy and aims to provide accurate and timely information. Readers are encouraged to verify information independently.
Why This Security News Matters
First, this development may affect exchange safety, wallet security, user trust, and broader market sentiment. In addition, it may influence platform security practices, fund recovery efforts, and regulatory pressure. As a result, traders and crypto users should watch the next updates closely.
What To Watch Next
Watch for official statements, post-mortem reports, wallet warnings, exchange responses, and fund recovery updates. In particular, any new details about phishing, exploits, private key exposure, or security patches could directly affect the broader crypto market.
