{"id":27028,"date":"2026-04-29T12:24:02","date_gmt":"2026-04-29T12:24:02","guid":{"rendered":"https:\/\/bitunikey.com\/news\/zetachain-admits-overlooking-bug-bounty-report-before-334k-exploit\/"},"modified":"2026-04-29T12:24:18","modified_gmt":"2026-04-29T12:24:18","slug":"zetachain-admits-overlooking-bug-bounty-report-before-334k-exploit","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/zetachain-admits-overlooking-bug-bounty-report-before-334k-exploit\/","title":{"rendered":"ZetaChain admits overlooking bug bounty report before $334K exploit"},"content":{"rendered":"<p><\/p>\n<div class=\"post-detail__content blocks\">\n<p>ZetaChain has acknowledged that a vulnerability behind its recent exploit had already been reported through its bug bounty program, but was treated as expected behavior.<\/p>\n<p>According to ZetaChain\u2019s post-mortem <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/zetachain.notion.site\/post-mortem-4-26-2026\" target=\"_blank\" rel=\"nofollow\">published<\/a> Wednesday, the incident has triggered an internal review of how the protocol evaluates bug bounty submissions, especially those involving multi-step attack paths that may appear harmless when viewed separately.<\/p>\n<p>The disclosure follows an attack on Sunday that targeted the project\u2019s cross-chain gateway contract, draining about $334,000 across nine transactions on Ethereum, Arbitrum, Base, and BSC, all from wallets controlled by the team.\u00a0<\/p>\n<p>ZetaChain stated that no user funds were impacted, a point it had also emphasized a day earlier when it paused cross-chain transactions on its mainnet to contain the breach.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<p>DefiLlama data had earlier estimated the losses at roughly $300,000, while ZetaChain said at the time that it would release a full breakdown after completing its investigation.<\/p>\n<h2 class=\"wp-block-heading\">Flaws combined to enable full drain<\/h2>\n<p>ZetaChain said the attacker chained together three separate design weaknesses that, on their own, did not appear critical but together enabled the exploit. The gateway contract allowed unrestricted cross-chain instructions to be sent, while the receiving side executed nearly any command on any contract, with a limited blocklist that failed to cover basic token transfer functions.<\/p>\n<p>Existing wallets that had interacted with the gateway retained unlimited token approvals, which were not revoked. By combining these conditions, the attacker instructed the gateway to move tokens from those wallets, and the system executed the transfers without resistance.<\/p>\n<p>\u201cThis was not an opportunistic attack,\u201d ZetaChain said, outlining how the attacker prepared in advance by funding a wallet through Tornado Cash three days before the exploit, deploying a custom drainer contract on ZetaChain, and running an address poisoning campaign before initiating the transactions.<\/p>\n<h2 class=\"wp-block-heading\">Bug report dismissed before exploit<\/h2>\n<p>In its post-mortem, ZetaChain confirmed that the core issue had been raised earlier through its bug bounty program but was not treated as a threat at the time. The team said this has prompted a reassessment of how it handles reports that describe complex attack combinations rather than isolated bugs.<\/p>\n<p>\u201cThis bug was reported and they simply ignored it,\u201d one user wrote on X, adding that current bug bounty structures often fail to reward researchers for identifying vulnerabilities before they are exploited.<\/p>\n<p>Following the incident, ZetaChain said it has disabled the gateway\u2019s arbitrary call functionality through a patch being rolled out to mainnet nodes. The platform has also removed unlimited token approvals from its deposit process, replacing them with exact-amount approvals to reduce risk from similar attack patterns.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>ZetaChain has acknowledged that a vulnerability behind its recent exploit had already been reported through its bug bounty program, but was treated as expected behavior. According to ZetaChain\u2019s post-mortem published&hellip;<\/p>\n","protected":false},"author":1,"featured_media":10096,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-27028","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/27028","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=27028"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/27028\/revisions"}],"predecessor-version":[{"id":27029,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/27028\/revisions\/27029"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/10096"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=27028"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=27028"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=27028"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}