ZetaChain has dismissed a bug report that could have prevented the $334K extortion.
The vulnerability that led to ZetaChain's latest exploit was flagged by the bug bounty program before the attack, but was dismissed as intended behavior.
After the obituary published Wednesday, the team explained how the incident contained bug bounty, specifically reports involving chained attack vectors that appear harmless individually but are dangerous in combination.
“This bug was reported and they simply ignored it,” wrote one user on X. “This is how bug bounty programs work with these protocols: they encourage losses to the protocol, TVL, and user balance rather than paying the researcher to find and fix the bug,” he added.
ZetaChain lost approximately $334,000 to a planned exploit targeting cross-chain login contracts. The exploit flowed funds into wallets on four chains, including Ethereum, Arbitrum, Base and BSC, all controlled by ZetaChain. No user funds are affected.
Related: Crypto Hackers Steal $17 Billion Over Last 10 Years: Defillama
An attacker exploits small design flaws
ZetaChain said in a postmortem that the attacker exploited three design flaws that individually seemed minor, but together opened the door to a full leak. First, the gateway allowed anyone to send an arbitrary chain of instructions without restriction. Second, at the receiving end, which executes any order on any contract, the block record is so narrow that it misses basic token transfer functions.
Third, wallets that have previously used the gateway have never had unlimited spending authorizations in place. By combining all three, the attacker simply tells the gatekeeper to transfer tokens from the victim's wallet to their own, and the gateway issues a command.
Source: ZetaChain
“This was not a random attack,” ZetaChain said in a postmortem. Three days after exploiting their wallets with Tornado Cash, the attacker deployed a purpose-built drain contract on ZetaChain and conducted an address poisoning campaign before seeding their transaction history with dust transfers.
ZetaChain added that a patch that permanently disables the random call function is being rolled out to minenet nodes. The platform removes unlimited token approvals from the deposit flow and replaces them with real amount approvals.
Related: Ethical Hacker Takes $2.6M in Morpho Labs Exploit
AI DeFi will increase the success rate of exploitation
A new study by a16z tested whether an off-the-shelf AI agent could go beyond detecting DeFi vulnerabilities and creating exploits. Using OpenAI's Codex, they ran the agent through 20 real Ethereum price manipulation incidents in a sandboxed environment where future transaction data was not available and there was no guidance on how the attacks worked. The agent was successful in only 10% of cases.
However, when researchers fed the agent structured knowledge about common attack patterns and workflows, the success rate rose to 70 percent.
Magazine: How to fix suspected insider trading on Polymarket and Kalshi
