ZetaChain Vulnerability Previously Reported by White Hat but Ignored, Resulting in $334,000 Attack Event

BlockBeats News, April 29th. Cross-chain protocol ZetaChain disclosed the security issues involved in a recent $334,000 exploit, which were previously reported by researchers in the bug bounty program but were dismissed by the project team as "intended behavior" at the time. According to the official post-incident report, the attack stemmed from a combination of three seemingly independent and low-risk design flaws:

The Gateway contract allowed anyone to send arbitrary cross-chain instructions;
The receiver could execute calls to almost any contract, and the blacklist restrictions were too narrow;
Some wallets had long-standing unlimited approvals that were not revoked.

The attacker ultimately exploited these issues to instruct the Gateway to transfer the tokens directly to their controlled address, completing the asset transfer. ZetaChain stated that this attack involved 9 transactions on Ethereum, Arbitrum, Avalanche, and BSC, with the stolen funds originating from wallets controlled by ZetaChain, and user funds were not affected.

The official statement mentioned that the attack was clearly premeditated. The attacker had deposited funds into the wallet via Tornado Cash three days before the attack, pre-deployed a dedicated Drainer contract, and also conducted an Address Poisoning attack.

Currently, ZetaChain has started pushing a fix patch to the mainnet nodes, permanently disabling the arbitrary call functionality and changing the deposit process's unlimited approval mechanism to "specific amount approval."