ZetaChain exploit: bug bounty report bin dismiss before $334K cross-chain drain

ZetaChain tok say bug weh cause di $334,000 exploit dem bin report am through dia bug bounty program before di attack, but dem dismiss am as "intended behavior." For im post-mortem, dem talk say di incident show weak points for how dem dey triage multi-step, chained cross-chain attack ways. Di ZetaChain exploit bin target dia cross-chain gateway and drain funds from ZetaChain-controlled wallets across nine transactions for Ethereum, Arbitrum, Base and BSC. ZetaChain report say no user funds bin affect. ZetaChain describe three-part design failure: (1) di gateway allow unrestricted cross-chain instructions; (2) di receiving side fit run almost any command on almost any contract, while di blocklist wey too narrow miss basic token transfer paths; and (3) wallets keep unlimited token approvals wey dem never revoke. ZetaChain talk say di attacker prepare well, no just opportunistic — dem fund one wallet via Tornado Cash three days earlier, deploy custom drainer contract, and do address poisoning. Mitigations include permanently disable di gateway’s arbitrary-call functionality with patch and change di deposit flow to replace unlimited approvals with exact-amount approvals. For traders, di main lesson be say ZetaChain exploit risk fit still dey unless bug bounty triage better model chained cross-chain abuse paths.
Neutral
Di incident na clear na smart-contract and cross-chain governance/security failure, and di ZetaChain exploit mechanics (unrestricted gateway calls plus unlimited approvals) na kain kain issue we traders dey watch because e fit repeat across assets. But ZetaChain talk say no user funds waka and dem don rollout concrete mitigations (disable arbitrary calls and remove unlimited approvals). That combination reduce immediate systemic market damage, so likely impact on crypto prices wey linked to the affected networks limited, leading to neutral market view.