Ignored Bug Bounty Warning Leads to $334K ZetaChain Cross Chain Exploit
ZetaChain lost $334K in a cross chain exploit. The issue was earlier flagged in its bug bounty but dismissed as expected behavior, raising security concerns in DeFi.
According to post incident disclosures and discussions in the community, an exploit which eventually cost ZetaChain $334,000 was discovered earlier, by the project‘s own bug bounty scheme, but deemed to be the expected design default.
The security hole, found in the cross chain gateway contract of ZetaChain, has brought new anxieties over how Web3 protocols test security alerts and act on early signals that may be unimportant on their own.
Bug Bounty Report Was Flagged But Not Actioned
The ZetaChain team said in its post mortem Wednesday that the weakness exploited in the attack had been reported by a security researcher before the attack. But it was not taken as a bug before as the developer thought it is intended behavior for the system.
The system has now indicated that the event has started a process within the organization to re-evaluate the technique for how incidents are reported in terms of security, in particular where it concerns more complex types of vulnerability and multi step exploit chains.
Each of the individual types of vulnerabilities may seem harmless on their own but they can collectively be used along other system behaviors and cross chain interactions.
$334,000 Theft Spread Over Several Chains
On Sunday, attackers launched a synchronized exploit that robbed around $334,000 from ZetaChain controlled wallets. The attack focused on the protocol‘s cross chain gateway infrastructure.
Based on the reports it is believed that the exploit took place over nine transactions through four major networks (The networks are not specified):
Ethereum
Arbitrum
Base
BNB Smart Chain
This event has also made clear that all user funds were unaffected. The loss was limited to assets under control of the protocol.
Community Backlash Over Trumped Warning
Almost immediately after the announcement, a wave of discussion sprung up across social media criticizing the state of bug bounty programs across the world of defi.
An individual on X remarked that the report had been submitted early and ignored, as incentive mechanisms in certain protocols presently lead to ignoring early warnings for wrongdoing.
The user added that:
That is generally how bug bounty programs work for these protocols at the moment; they reward the loss to the protocol, the total value locked, and the user‘s balance, rather than paying the researcher to have found and fixed the bug.
Of course these kinds of comments represent frustrated communities. They also demonstrate an important tension in many Web3 security models: whether the concern is a theoretical risk or an actual vulnerability.
The Problem of “valid but ignored” Vulnerabilities
As the ZetaChain incident demonstrates, this is an endemic issue with blockchain security systems. Most exploits aren‘t due to unseen bugs, but rather unexpected edge cases that are ignored or overlooked during review.
One common theme of reports from security researchers is that an attack requires multiple assumptions or chained conditions to be true. While developers have a tendency to call these infeasible, the rest of the world sometimes does this.
This creates a gray area where:
Developers of network equipment do not consider false positives and overreaction a desired property.
Researchers struggle to identify worst case combinations
Attackers target the difference between the two1 interpretations
According to ZetaChain, the review process will change:
Following the exploit, ZetaChain announced that it will review its processes on bug bounty submissions especially, if it involves multi-step or cross system bugs.
The focus of the review is expected to include:
More accurate classification of chained attack paths
Better escalation procedures for borderline reports
Improved communication and collaboration among developers and security researchers
Allows the faster reassessment of past rejected problems.
Although no immediate structural alterations have been elaborated thoroughly, the procedure admitted that it did not sufficiently account for the risk posed by the disclosed vulnerability.
More General Implications for DeFi Security
This is yet another addition to a list of exploits in decentralized finance where warnings were largely ignored or not taken with great importance. It also invites ponderance on whether bug bounty frameworks in place are enough for cross chain protocols.
As protocols span multiple networks and deploy more composable infrastructure, it is difficult to evaluate their security in isolation. One single missed interaction can even sometimes cascade to multiple chain effects, as in this example.
For now, the ZetaChain exploit reminds us once again that in blockchain security, the distinction between a theoretical bug and an actual exploit can be mere seconds and how clever a hacker can be.
