Última hora
RUНеизвестный снаряд попал в танкер у побережья ОманаCN強颱巴威恐登陸 專家:致災性強風豪雨週五六襲台INBalogun Cleared to Play for US vs. Belgium After FIFA Rejects AppealFRFibre Excellence : l'État sollicité pour sauver deux usines et des emploisFRProcès d'Ekrem Imamoglu : un symbole de la dérive autoritaire en TurquieCN矢板明夫遭攻擊 溫朗東:中國怕他做了正確的事ARكندا تختار شركة ألمانية لبناء 12 غواصة في صفقة عسكرية كبيرةCN國民黨立委之子認簽賭、霸凌 律師批:選舉才道歉RUNATO Summit in Ankara to be Shortest in Two Decades, Focus on Russia and UkraineCN八村壘2年2800萬美元轉戰快艇 拒絕勇士等4隊招攬RUНеизвестный снаряд попал в танкер у побережья ОманаCN強颱巴威恐登陸 專家:致災性強風豪雨週五六襲台INBalogun Cleared to Play for US vs. Belgium After FIFA Rejects AppealFRFibre Excellence : l'État sollicité pour sauver deux usines et des emploisFRProcès d'Ekrem Imamoglu : un symbole de la dérive autoritaire en TurquieCN矢板明夫遭攻擊 溫朗東:中國怕他做了正確的事ARكندا تختار شركة ألمانية لبناء 12 غواصة في صفقة عسكرية كبيرةCN國民黨立委之子認簽賭、霸凌 律師批:選舉才道歉RUNATO Summit in Ankara to be Shortest in Two Decades, Focus on Russia and UkraineCN八村壘2年2800萬美元轉戰快艇 拒絕勇士等4隊招攬
Newsgather
BackZetaChain Exploit Loses $334K After Bug Bounty Report Dismissed as Intended Behavior
ZetaChain Exploit Loses $334K After Bug Bounty Report Dismissed as Intended Behavior
En desarrollo
Cointelegraph29.04.2026Tecnología2 dk okuma

ZetaChain Exploit Loses $334K After Bug Bounty Report Dismissed as Intended Behavior

Cross-chain protocol suffers premeditated attack exploiting three design flaws; patch now being rolled out

En resumen

  • ZetaChain lost approximately $334,000 in a premeditated exploit on Sunday that targeted its cross-chain gateway contract.
  • The vulnerability had been previously flagged through the protocol's bug bounty program but was dismissed as intended behavior.
  • The attacker exploited three design flaws in combination: unrestricted cross-chain instructions, broad execution permissions with a narrow blocklist, and lingering unlimited spending approvals from previous gateway users.

Resumen generado por IA

Por qué importa

ZetaChain is a cross-chain interoperability protocol that enables messages and assets to be transferred between different blockchain networks. The exploit targeted the gateway contract that handles cross-chain instructions.

Tamaño de fuente

The vulnerability that led to ZetaChain’s recent exploit had been flagged through its bug bounty program before the attack, but was dismissed as intended behavior. In a post-mortem published Wednesday, the team said the incident has prompted a review of how it handles bug bounty submissions, particularly reports involving chained attack vectors that may appear harmless in isolation but are dangerous in combination. “This bug was reported and they simply ignored it,” one user wrote on X. “That's how bug bounty programs work with these protocols currently; they incentivize losses for the protocol, the TVL, and the user's balance instead of paying the researcher for discovering and fixing the bug,” they added. ZetaChain lost approximately $334,000 to a premeditated exploit on Sunday that targeted its cross-chain gateway contract. The exploit drained funds across nine transactions on four chains, including Ethereum, Arbitrum, Base and BSC, all from ZetaChain-controlled wallets. No user funds were affected. Related: Crypto hackers stole $17B over past 10 years: DefiLlama Attacker exploits small design flaws ZetaChain said in its post-mortem that the attacker exploited three design flaws that, individually, might have seemed minor, but together opened the door to a full drain. First, the gateway allowed anyone to send arbitrary cross-chain instructions with no restrictions. Second, on the receiving end, it would execute almost any command on any contract, with a blocklist so narrow it missed basic token transfer functions. Third, wallets that had previously used the gateway had left unlimited spending permissions in place that were never cleaned up. By combining all three, the attacker simply told the gateway to transfer tokens from victim wallets to their own, and the gateway complied. Source: ZetaChain “This was not an opportunistic attack,” ZetaChain said in its post-mortem. The attacker funded their wallet through Tornado Cash three days before the exploit, deployed a purpose-built drainer contract on ZetaChain and ran an address poisoning campaign before seeding it into their transaction history via dust transfers. ZetaChain added that a patch permanently disabling the arbitrary call functionality is being rolled out to mainnet nodes. The platform also removed unlimited token approvals from its deposit flow, replacing them with exact-amount approvals going forward. Related: Ethical hacker intercepts $2.6M in Morpho Labs exploit AI DeFi exploit success rate increases A new study by a16z tested whether an off-the-shelf AI agent could go beyond identifying DeFi vulnerabilities and actually produce working exploits. Using OpenAI's Codex against a dataset of 20 real Ethereum price manipulation incidents, researchers ran the agent in a sandboxed environment with no access to future transaction data and no guidance on how the attacks worked. The agent succeeded in just 10% of cases. However, when researchers fed the agent structured knowledge about common attack patterns and exploit workflows, the success rate jumped to 70%.

Qué observar

Perspectiva de IA — posibilidades, no hechos

  • ZetaChain will implement more rigorous bug bounty triage process

    Probable · En semanas

  • Other cross-chain protocols will audit similar design patterns

    Probable · En meses

Preguntas abiertas

  • Why did the bug bounty team dismiss the report as intended behavior?
  • How many wallets were affected by the unlimited approval vulnerability?
  • What specific changes were made to the blocklist functionality?

Temas relacionados

This article was originally published by Cointelegraph.

Noticias relacionadas

Más sobre este temazetachain