- ZetaChain said attackers exploited a cross-chain loophole on the network last Monday.
- The network confirmed that users’ funds remained safe despite a $334,000 loss.
- The attacker aligned 3 issues in the cross-chain messaging system to exploit ZetaChain.
Layer 1 network ZetaChain officially confirmed a targeted exploit on its platform involving deliberate preparation, including Tornado Cash funding and wallet address spoofing.
$334,000 Stolen Across Four Chains
In its latest post on X, the ZetaChain team stated that the attack affected specific GatewayEVM arbitrary-call functionality, resulting in approximately $334K in losses across four connected chains.
However, the blockchain network noted that the exploit did not affect cross-chain ZETA transfers or user funds. According to the platform, all wallets affected by the attack were controlled by ZetaChain. Meanwhile, the team immediately deployed a mainnet patch and promised to re-enable the suspended cross-chain transactions after continued monitoring.
What Happened in the Attack?
The attack in question occurred on Monday, April 27, when the attacker reportedly aligned three issues in the cross-chain messaging system and took advantage of the interoperability-focused chain. Subsequently, ZetaChain’s cross-chain system allowed anyone to request “arbitrary calls” with minimum restrictions. Meanwhile, the GatewayEVM contract on the receiving end accepted most commands, including “transferFrom.”
The final part of the attack involved users who had previously deposited tokens through “GatewayEVM.deposit()” being granted unlimited approvals to spend tokens without revocation. According to ZetaChain, the attacker leveraged this loophole to siphon the tokens from the wallets.
The ZetaChain team found that the exploiter invested significant time and resources in preparation before executing the attack. The team stated that the attacker took three days to fund his wallet through Tornado Cash, in an attempt to mask the source of funds. Meanwhile, the attack proper involved launching a brute-force attack on a vanity address, mimicking a victim’s wallet, reflecting a classic address-poisoning technique that could further obfuscate malicious on-chain activity.
ZetaChain Reassures Users
In the meantime, ZetaChain recommended that users who have previously interacted with the ZetaChain gateway contracts revoke any outstanding ERC-20 token allowances granted to the identified gateway addresses. The network’s team said the move is precautionary, to ensure users’ funds remain protected.
The network reassured users of its commitment to the ecosystem and original long-term roadmap and mission that remain unchanged.
Related: ZetaChain (ZETA) Price Prediction 2024-2030: Will ZETA Break New Highs?
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
Source: https://coinedition.com/zetachain-confirms-attack-on-platform-says-no-user-funds-were-affected/