ZetaChain Cross-Chain Messaging Vulnerability Exposed

A recent attack on ZetaChain's cross-chain messaging system has highlighted the importance of robust security measures in cryptocurrency networks.

The attack, which occurred on April 24, exposed three chained vulnerabilities that allowed an attacker to extract $333,868 in assets from internal team wallets.

The layer-1 network confirmed the findings in a post-mortem report, detailing how the attacker used the GatewayEVM contract as a unified entry point for interactions between external networks and ZetaChain applications.

The system allowed any user to request arbitrary calls with minimal restrictions, while the receiving contract accepted commands such as 'transferFrom' without sufficient validation.

In addition to these vulnerabilities, users who had deposited tokens via GatewayEVM.deposit() never revoked the unlimited spending approvals they had granted. The attacker combined these three conditions to drain funds across nine transactions distributed over Ethereum, Arbitrum, Base, and BSC.

The ZetaChain team ruled out an opportunistic attack, with evidence suggesting that the attacker funded their wallet through Tornado Cash approximately three days before executing the exploit. The attacker also launched a brute-force attack to generate a vanity address that mimicked one of the victims', using an address poisoning technique designed to obfuscate malicious on-chain activity.

ZetaChain has since deployed an emergency patch to eliminate the vulnerability, and the cross-chain transaction functionality remains inactive until additional updates and reviews are completed. The team recommends that all users who have interacted with the gateway contracts revoke the pending ERC-20 permissions granted to those addresses.