عاجل
ESAviso amarillo por tormentas en Madrid este martesESTrump pide a la FIFA revisar tarjeta roja a Folarin BalogunESBrasil, eliminada del Mundial: Ancelotti y Neymar, señalados en la crisis del 'scratch'ESElecciones en CEOE: Apoyos divididos para la reelección de Antonio GaramendiESTragedia familiar en la A-67: Muere el director de Dehesa de los Canónigos, su mujer y dos hijos en accidenteESEva Orúe cesa como directora de la Feria del Libro de MadridESVox sospecha de "fraude electoral" por la "ley de nietos" y pide excluir a los nacionalizados del votoESFrancia enfrenta una prematura temporada de incendios tras ola de calorESTrump intensifica su ruptura con Meloni con un nuevo ataque en redes socialesESCazas F-35 británicos interceptan aviones rusos cerca del ÁrticoESAviso amarillo por tormentas en Madrid este martesESTrump pide a la FIFA revisar tarjeta roja a Folarin BalogunESBrasil, eliminada del Mundial: Ancelotti y Neymar, señalados en la crisis del 'scratch'ESElecciones en CEOE: Apoyos divididos para la reelección de Antonio GaramendiESTragedia familiar en la A-67: Muere el director de Dehesa de los Canónigos, su mujer y dos hijos en accidenteESEva Orúe cesa como directora de la Feria del Libro de MadridESVox sospecha de "fraude electoral" por la "ley de nietos" y pide excluir a los nacionalizados del votoESFrancia enfrenta una prematura temporada de incendios tras ola de calorESTrump intensifica su ruptura con Meloni con un nuevo ataque en redes socialesESCazas F-35 británicos interceptan aviones rusos cerca del Ártico
Newsgather
BackZetaChain Exploit Loses $334K After Bug Bounty Report Dismissed as Intended Behavior
ZetaChain Exploit Loses $334K After Bug Bounty Report Dismissed as Intended Behavior
يتطور
Cointelegraph29.04.2026تقنية2 dk okuma

ZetaChain Exploit Loses $334K After Bug Bounty Report Dismissed as Intended Behavior

Cross-chain protocol suffers premeditated attack exploiting three design flaws; patch now being rolled out

نظرة سريعة

  • ZetaChain lost approximately $334,000 in a premeditated exploit on Sunday that targeted its cross-chain gateway contract.
  • The vulnerability had been previously flagged through the protocol's bug bounty program but was dismissed as intended behavior.
  • The attacker exploited three design flaws in combination: unrestricted cross-chain instructions, broad execution permissions with a narrow blocklist, and lingering unlimited spending approvals from previous gateway users.

ملخص مُنشأ بالذكاء الاصطناعي

لماذا يهم

ZetaChain is a cross-chain interoperability protocol that enables messages and assets to be transferred between different blockchain networks. The exploit targeted the gateway contract that handles cross-chain instructions.

حجم الخط

The vulnerability that led to ZetaChain’s recent exploit had been flagged through its bug bounty program before the attack, but was dismissed as intended behavior. In a post-mortem published Wednesday, the team said the incident has prompted a review of how it handles bug bounty submissions, particularly reports involving chained attack vectors that may appear harmless in isolation but are dangerous in combination. “This bug was reported and they simply ignored it,” one user wrote on X. “That's how bug bounty programs work with these protocols currently; they incentivize losses for the protocol, the TVL, and the user's balance instead of paying the researcher for discovering and fixing the bug,” they added. ZetaChain lost approximately $334,000 to a premeditated exploit on Sunday that targeted its cross-chain gateway contract. The exploit drained funds across nine transactions on four chains, including Ethereum, Arbitrum, Base and BSC, all from ZetaChain-controlled wallets. No user funds were affected. Related: Crypto hackers stole $17B over past 10 years: DefiLlama Attacker exploits small design flaws ZetaChain said in its post-mortem that the attacker exploited three design flaws that, individually, might have seemed minor, but together opened the door to a full drain. First, the gateway allowed anyone to send arbitrary cross-chain instructions with no restrictions. Second, on the receiving end, it would execute almost any command on any contract, with a blocklist so narrow it missed basic token transfer functions. Third, wallets that had previously used the gateway had left unlimited spending permissions in place that were never cleaned up. By combining all three, the attacker simply told the gateway to transfer tokens from victim wallets to their own, and the gateway complied. Source: ZetaChain “This was not an opportunistic attack,” ZetaChain said in its post-mortem. The attacker funded their wallet through Tornado Cash three days before the exploit, deployed a purpose-built drainer contract on ZetaChain and ran an address poisoning campaign before seeding it into their transaction history via dust transfers. ZetaChain added that a patch permanently disabling the arbitrary call functionality is being rolled out to mainnet nodes. The platform also removed unlimited token approvals from its deposit flow, replacing them with exact-amount approvals going forward. Related: Ethical hacker intercepts $2.6M in Morpho Labs exploit AI DeFi exploit success rate increases A new study by a16z tested whether an off-the-shelf AI agent could go beyond identifying DeFi vulnerabilities and actually produce working exploits. Using OpenAI's Codex against a dataset of 20 real Ethereum price manipulation incidents, researchers ran the agent in a sandboxed environment with no access to future transaction data and no guidance on how the attacks worked. The agent succeeded in just 10% of cases. However, when researchers fed the agent structured knowledge about common attack patterns and exploit workflows, the success rate jumped to 70%.

ما الذي يجب مراقبته

توقعات الذكاء الاصطناعي — احتمالات وليست حقائق

  • ZetaChain will implement more rigorous bug bounty triage process

    مرجح · خلال أسابيع

  • Other cross-chain protocols will audit similar design patterns

    مرجح · خلال أشهر

أسئلة مفتوحة

  • Why did the bug bounty team dismiss the report as intended behavior?
  • How many wallets were affected by the unlimited approval vulnerability?
  • What specific changes were made to the blocklist functionality?

مواضيع ذات صلة

This article was originally published by Cointelegraph.

أخبار ذات صلة

المزيد حول هذا الموضوعzetachain