ZetaChain Dismissed Bug Report Before $334K Exploit, Researcher Alleges

A critical vulnerability that later enabled a $334,000 exploit on ZetaChain had been reported through the platform's official bug bounty program prior to the attack—but was dismissed by the security team. The report allegedly contained details matching the exact attack vector used in the exploit, raising questions about the project's vulnerability assessment and disclosure handling procedures. The researcher claims the submission outlined the precise method that attackers subsequently used to drain funds from the protocol.

The timeline of events places the bug report submission ahead of the exploit, with documentation reportedly showing the security team's assessment and rejection of the vulnerability claim. Following the successful attack, ZetaChain confirmed the incident but has disputed certain aspects of the report's accuracy and the severity classification assigned by the original submitter. The discrepancy between the pre-incident rejection and the subsequent exploitation has drawn attention from the crypto security community, where bug bounty programs serve as a primary defense layer for protocols seeking external scrutiny of their code.

The incident intensifies scrutiny on how blockchain projects manage external security disclosures, particularly as bug bounty programs have become standard practice across the DeFi sector. Security researchers argue that properly functioning bounty systems require not only clear submission guidelines but also adequate internal capacity to evaluate and triage reports before malicious actors can exploit the same vulnerabilities. ZetaChain's handling of the pre-attack disclosure is now under examination, with the broader crypto ecosystem watching for the project's official response to the allegations and any potential reforms to its security disclosure protocols.