The vulnerability had reportedly been submitted earlier through the project’s bug bounty program but was dismissed as intended behavior. In its post-mortem, ZetaChain said the attacker combined multiple design flaws, including unrestricted cross-chain instructions, overly broad contract execution permissions, and leftover unlimited token approvals from previous wallet interactions. The attacker also allegedly prepared in advance by funding wallets through Tornado Cash.
ZetaChain Hack Raises New Questions
ZetaChain recently suffered an exploit that resulted in losses of approximately $334,000. The attackers drained protocol-controlled funds across multiple blockchain networks including Ethereum, Arbitrum, Base, and BNB Smart Chain. Importantly, no user funds were impacted.
The incident attracted a lot of attention because the vulnerability behind the attack had reportedly been identified earlier through ZetaChain’s bug bounty program, but was dismissed by the team as intended.
After the exploit, ZetaChain released a post-mortem explaining that the breach was not caused by a single catastrophic flaw, but rather by several smaller design weaknesses that became dangerous when combined. According to the report, the protocol’s gateway contract allowed anyone to submit arbitrary cross-chain instructions without sufficient restrictions. Once those instructions reached their destination chain, the gateway could execute commands on nearly any smart contract. Although a blocklist existed, it was too limited and failed to prevent common token transfer functions.
Another key issue involved wallets that previously interacted with the gateway and still had unlimited token approvals active. These approvals had not been revoked or cleaned up. By combining open cross-chain messaging, overly broad execution permissions, and lingering token approvals, the attacker was able to instruct the gateway to transfer tokens from affected wallets directly into their own addresses.
ZetaChain stated that the exploit was carefully planned rather than opportunistic. Investigators found that the attacker funded their wallet through Tornado Cash several days before the breach, deployed a custom draining contract on ZetaChain, and conducted an address poisoning campaign that was designed to manipulate transaction histories and potentially confuse victims or monitoring systems.
In response, the protocol started rolling out security fixes. The arbitrary call functionality was permanently disabled on mainnet nodes, and the token approval process has been redesigned so that future deposits use exact-amount approvals instead of unlimited permissions. The team also said it is reviewing how bug bounty submissions are handled, especially cases where separate low-risk issues can be chained together into a serious exploit.
Part of ZetaChain’s post-mortem report
