The vulnerability that led to ZetaChain’s latest exploit had been flagged via its bug bounty program earlier than the assault, however was dismissed as supposed conduct.
In a autopsy published Wednesday, the group mentioned the incident has prompted a evaluation of the way it handles bug bounty submissions, notably experiences involving chained assault vectors that will seem innocent in isolation however are harmful together.
“This bug was reported and so they merely ignored it,” one consumer wrote on X. “That is how bug bounty packages work with these protocols at present; they incentivize losses for the protocol, the TVL, and the consumer’s stability as a substitute of paying the researcher for locating and fixing the bug,” they added.
ZetaChain misplaced roughly $334,000 to a premeditated exploit on Sunday that focused its cross-chain gateway contract. The exploit drained funds throughout 9 transactions on 4 chains, together with Ethereum, Arbitrum, Base and BSC, all from ZetaChain-controlled wallets. No consumer funds had been affected.
Associated: Crypto hackers stole $17B over past 10 years: DefiLlama
Attacker exploits small design flaws
ZetaChain mentioned in its autopsy that the attacker exploited three design flaws that, individually, may need appeared minor, however collectively opened the door to a full drain. First, the gateway allowed anybody to ship arbitrary cross-chain directions with no restrictions. Second, on the receiving finish, it will execute nearly any command on any contract, with a blocklist so slim it missed primary token switch features.
Third, wallets that had beforehand used the gateway had left limitless spending permissions in place that had been by no means cleaned up. By combining all three, the attacker merely instructed the gateway to switch tokens from sufferer wallets to their very own, and the gateway complied.
Supply: ZetaChain
“This was not an opportunistic assault,” ZetaChain mentioned in its autopsy. The attacker funded their pockets via Twister Money three days earlier than the exploit, deployed a purpose-built drainer contract on ZetaChain and ran an tackle poisoning marketing campaign earlier than seeding it into their transaction historical past by way of mud transfers.
ZetaChain added {that a} patch completely disabling the arbitrary name performance is being rolled out to mainnet nodes. The platform additionally eliminated limitless token approvals from its deposit movement, changing them with exact-amount approvals going ahead.
Associated: Ethical hacker intercepts $2.6M in Morpho Labs exploit
AI DeFi exploit success charge will increase
A brand new examine by a16z tested whether or not an off-the-shelf AI agent might transcend figuring out DeFi vulnerabilities and truly produce working exploits. Utilizing OpenAI’s Codex in opposition to a dataset of 20 actual Ethereum value manipulation incidents, researchers ran the agent in a sandboxed setting with no entry to future transaction knowledge and no steerage on how the assaults labored. The agent succeeded in simply 10% of circumstances.
Nonetheless, when researchers fed the agent structured data about frequent assault patterns and exploit workflows, the success charge jumped to 70%.
Journal: How to fix suspected insider trading on Polymarket and Kalshi
