ZetaChain has revealed that a vulnerability exploited in its recent $334,000 attack had previously been reported through its bug bounty programme but was dismissed as intended behaviour.
The exploit targeted ZetaChain’s cross-chain gateway, draining funds across multiple networks including Ethereum, Arbitrum, Base and BSC, though no user funds were affected.
“This bug was reported and they simply ignored it,”
A user wrote, criticising how bug bounty submissions are handled in some protocols.
ZetaChain said the attacker combined three seemingly minor design flaws, including unrestricted cross-chain instructions and overly broad execution permissions, to carry out the exploit.
The attacker prepared in advance, funding wallets via Tornado Cash and deploying a custom contract before executing the drain.
In response, ZetaChain is patching its system to disable arbitrary calls and replace unlimited token approvals with stricter controls.
The incident highlights ongoing risks in DeFi security, particularly when multiple low-risk vulnerabilities can be chained into high-impact exploits.