ZetaChain says dismissed bug bounty report preceded ~$334K cross-chain gateway drain
The post-mortem ties the exploit to three design flaws and ships patches to disable arbitrary calls and remove unlimited approvals.
ZetaChain says a vulnerability behind an approximately $334,000 cross-chain gateway exploit had been reported through its bug bounty program before the attack but was dismissed as “intended behavior.” The team’s post-mortem details a three-part design failure and outlines patches now rolling out across mainnet nodes.
Key Takeaways
- A bug bounty submission flagged the vulnerability before the exploit, but it was treated as “intended behavior,” ZetaChain said in its post-mortem.
- About $334,000 was drained across nine transactions on Ethereum, Arbitrum, Base, and BSC from ZetaChain-controlled wallets, with no user funds affected.
- ZetaChain attributed the drain to a chained path across three design flaws: arbitrary cross-chain instructions, permissive execution guarded by a narrow blocklist, and leftover unlimited token approvals.
- Remediation includes permanently disabling arbitrary call functionality and shifting deposits from unlimited approvals to exact-amount approvals.
Post-Mortem: Bug Bounty Report Preceded the ~$334K Gateway Drain
ZetaChain’s post-mortem puts an uncomfortable detail at the center of the incident: the vulnerability behind the roughly $334,000 gateway drain had already been submitted through its bug bounty program, but was dismissed as “intended behavior.” The team said the episode has triggered a review of how it handles bug bounty submissions, with emphasis on reports where multiple small issues can chain into a full exploit.
The exploit itself was described as “premeditated,” not a random hit. ZetaChain said the attacker’s preparation began days earlier, including funding via Tornado Cash, deploying a purpose-built drainer contract on ZetaChain, and running an address poisoning campaign that was seeded into transaction history via dust transfers. ZetaChain’s framing matters for traders because it points away from a one-off key compromise and toward repeatable design and process risk.
Where the Money Moved: Nine Transactions Across Four Chains
ZetaChain said the drain totaled approximately $334,000 and played out across nine transactions spanning Ethereum, Arbitrum, Base, and BSC. The funds came from ZetaChain-controlled wallets, not user wallets, and the team said no user funds were affected.
That distinction reduces the immediate balance-sheet shock for users, but it does not eliminate market impact. For cross-chain traders, a gateway contract is a routing dependency. Even when user balances are untouched, confidence can still get repriced through usage, integrator decisions, and how quickly liquidity routes away from perceived operational risk.
The Three-Flaw Chain: Arbitrary Instructions, Permissive Execution, Unlimited Approvals
ZetaChain attributed the exploit to three design flaws that “individually, might have seemed minor,” but combined into a clean drain path.
First, the gateway allowed anyone to send arbitrary cross-chain instructions with no restrictions. Second, the receiving side would execute “almost any command on any contract,” and the blocklist was narrow enough to miss basic token transfer functions. Third, wallets that had previously used the gateway left unlimited spending permissions in place that were never cleaned up.
Put together, the attacker could instruct the gateway to transfer tokens from victim wallets to the attacker’s wallet, and ZetaChain said “the gateway complied.” For risk pricing, that’s the actionable takeaway: the failure mode was allowance hygiene plus permissive message execution, not a single brittle component that can be dismissed as an edge case.
Patch Rollout and Bug Bounty Triage Review
ZetaChain said a patch that permanently disables the arbitrary call functionality is being rolled out to mainnet nodes. It also removed unlimited token approvals from its deposit flow, replacing them with exact-amount approvals going forward.
The immediate forward signals are operational. Traders will want confirmation that the arbitrary-call disablement has fully propagated across mainnet nodes, plus clarity on whether any follow-on hotfixes are required. The other live question is whether exact-amount approvals are active across all supported chains and whether integrators hit compatibility friction.
The process overhang is the bug bounty pipeline itself. ZetaChain said the issue was previously reported but dismissed as intended behavior, and an X user criticized the handling, writing: “This bug was reported and they simply ignored it,” adding: “That's how bug bounty programs work with these protocols currently. They incentivize losses for the protocol, the TVL, and the user's balance instead of paying the researcher for discovering and fixing the bug,”. ZetaChain has not specified whether the earlier report matched the full exploit path or only one component, leaving room for more disclosures on timing, scope, and updated triage outcomes.
What This Changes for Cross-Chain Risk Pricing
I treat this as a gateway-surface incident, not a headline-sized loss event. The threshold that matters is whether the patch set truly collapses the attack surface by removing arbitrary calls and tightening approvals, because those map directly to two of the three failure points ZetaChain identified.
The real test is whether ZetaChain can turn the bug bounty admission into a process upgrade that catches chained vectors before they become drains. If that holds, the setup starts to look structural rather than narrative-driven, and it matters in practical terms because it changes how quickly liquidity routers and integrators are willing to re-trust the gateway path after an exploit.
