TLDR
-
ZetaChain exploit drains $334K via gateway flaw across four chains
-
Arbitrary calls and token approvals fuel ZetaChain exploit attack
-
ZetaChain patches gateway flaw after $334K exploit hits team wallets
-
Cross-chain weakness triggers ZetaChain exploit draining internal funds
-
ZetaChain halts transactions after exploit exposes gateway risks
ZetaChain confirmed a targeted exploit that drained about $334,000 through a flaw in its cross-chain gateway system. The incident affected only internal wallets and involved transactions across multiple chains. However, ZetaChain paused operations quickly and deployed fixes to contain further risk.
ZetaChain Gateway Flaw Enabled Cross-Chain Drain
ZetaChain reported that the exploit targeted its GatewayEVM contract, which handles cross-chain communication. The attacker manipulated the system to execute unauthorized token transfers. ZetaChain recorded losses across Ethereum, Arbitrum, Base, and BSC networks.
ZetaChain explained that the exploit combined multiple weaknesses within its messaging pipeline. The system allowed arbitrary calls with minimal restrictions across chains. As a result, the attacker gained the ability to trigger sensitive functions remotely.
ZetaChain identified that the receiving contract accepted a broad range of command types, including token transfer functions. This design enabled execution without strict validation checks. The attacker used these permissions to move funds from affected wallets.
ZetaChain Vulnerabilities Linked to Token Approvals
ZetaChain stated that previously deposited wallets had granted unlimited token approvals to the gateway contract. These approvals remained active and unrevoked over time. The attacker leveraged these permissions to drain ERC-20 tokens using transferFrom calls.
ZetaChain confirmed that the exploit did not impact user funds at any stage. The attack targeted only three wallets controlled by the ZetaChain team.The event exposed risks tied to persistent token allowances.
ZetaChain noted that the vulnerability had appeared in its bug bounty program earlier. The report classified the issue as expected behavior and did not escalate it. Therefore, the oversight contributed to the exploit when combined with other flaws.
ZetaChain Response and Broader DeFi Impact
ZetaChain responded by pausing cross-chain transactions immediately after detecting the attack. The team developed and deployed a patch to eliminate arbitrary call functionality. ZetaChain plans to re-enable services after completing further reviews and upgrades.
ZetaChain replaced unlimited token approvals with exact-amount permissions in its updated system. This adjustment aims to reduce exposure to similar exploits in future interactions. The platform advised users to revoke any existing token allowances linked to gateway contracts.
ZetaChain also observed that the attacker prepared the exploit carefully before execution. The attacker funded the wallet via Tornado Cash and employed address-poisoning techniques. The attacker swapped stolen assets into ETH to obscure transaction trails.
ZetaChain highlighted rising exploit activity across decentralized finance platforms. Recent data shows multiple attacks targeting smart contract design weaknesses within short periods. ZetaChain initiated a review of its bug bounty handling and security processes.
