A vulnerability that ultimately led to ZetaChain’s recent exploit had already been flagged through its bug bounty program, but was dismissed as expected behavior. The revelation, shared in a post-mortem on Wednesday, has ignited criticism from users and security researchers who argue that the oversight reflects deeper flaws in how DeFi protocols handle vulnerability reports.
Ignored warning raises questions over bug bounty systems
One user on X summed up the frustration, claiming that bug bounty systems often fail to reward researchers properly, instead leaving protocols exposed to avoidable risks. According to ZetaChain, the incident has now triggered an internal review of how it evaluates submissions, particularly those involving complex or chained attack scenarios.
On Apr 27, ZetaChain experienced a targeted exploit involving deliberate preparation, including Tornado Cash funding and wallet address spoofing.
Cross-chain ZETA transfers were not affected.
No user funds were affected — all impacted wallets were ZetaChain-controlled.
A…
— ZetaChain 🟩 (@ZetaChain) April 29, 2026
The exploit, which occurred on Sunday, resulted in losses of approximately $334,000. The attacker drained funds across nine transactions spanning multiple networks, including Ethereum, Arbitrum, Base, and BNB Smart Chain. ZetaChain confirmed that no user funds were affected, as the compromised wallets were controlled by the protocol itself.
Chained design flaws enabled coordinated attack
ZetaChain’s investigation revealed that the exploit was not the result of a single critical bug, but rather a combination of smaller design flaws that became dangerous when linked together. The gateway contract allowed unrestricted cross-chain instructions, while its execution layer permitted nearly any command on connected contracts due to an insufficient blocklist.
Compounding the issue, wallets interacting with the gateway had retained unlimited token approvals, creating an opening for the attacker to move funds freely once access was gained.
“This was not an opportunistic attack,”
the team noted. The attacker had prepared days in advance, funding their wallet via Tornado Cash, deploying a custom drainer contract, and even conducting address poisoning to obscure transaction trails. In response, ZetaChain has begun rolling out fixes, including disabling arbitrary calls and replacing unlimited approvals with exact transaction limits.
Meanwhile, new research from Andreessen Horowitz highlights a growing concern about AI-powered tools that are becoming increasingly capable of executing DeFi exploits. Their study found that while basic AI agents succeeded in just 10% of cases, performance surged to 70% when guided with structured attack frameworks, underscoring the rising sophistication of threats facing the sector.
Enjoyed this piece? Bookmark DeFi Planet, explore related topics, and follow us on Twitter, LinkedIn, Facebook, Instagram, Threads, and Coin MarketCap Community for seamless access to high-quality industry insights.
“Take control of your crypto portfolio with DeFi Planet PRO, DeFi Planet’s suite of analytics tools.”
