Did ZetaChain ignore a bug report that could have prevented $334K exploit?
DeFi hacks have hit $629 million April, the highest monthly losses in over a year.
The ZetaChain’s $334K exploit was preventable if the team had taken earlier bug reports seriously.
In the post-mortem report, the team admitted that the gateway vulnerability leveraged by the attacker had been disclosed in a bug bounty program, but they dismissed it.
Prior to the exploit, the vulnerability class had been reported through our bug bounty program. Initial reports were dismissed as the arbitrary call behavior was considered by design.
Going forward, the project added, it will review all bug bounty submissions to ensure “reports involving chained attack vectors receive appropriate severity assessment.”
That said, the project clarified that protocol-controlled wallets were the ones drained of $334K, adding that no user funds were lost.
April crypto hack losses top $600M
In April, the losses from the rising crypto hacks hit $629 million, according to data tracked by DeFiLlama. This was the highest level of monthly losses so far in 2026.
In fact, even when zoomed out on a year-on-year (YoY) basis, it was still the largest loss.
This week alone, Aftermath Perps lost $1.14 million while Sweat Foundation suffered a $3.5M breach. ZetaChain, Judao, Scallop Lend, Syndicate, and Quant also suffered exploits ranging between $150K to $413K each.
Last week, Volo Vault, Purrlend, and Giddy also added to the growing list of victims. Perhaps the most notable victim in April is the Kelp DAO’s $293 million exploit, which triggered massive outflows across the DeFi ecosystem.
Yet, some of these exploits are preventable, especially with strong bug bounty programs. In the ZetaChain case, for example, there was a prior bug submission, which was ignored.
At the same time, the attacker did some tests before the exploit, which could be flagged by strong threat monitoring.
Now the industry will contend with another powerful threat actor: AI-powered models. Cybersecurity models with offensive capabilities like Anthropic’s Claude-powered Mythos and recently announced OpenAI’s GPT-5.5-Cyber are yet to be made public.
The reported offensive capability of these models should be a warning sign for the entire industry to take security measures more seriously or forget about mass adoption.
Final Summary
- ZetaChain admitted its $334K exploit was from a bug that was previously reported but wasn’t acted on.
- Losses linked to DeFi hacks in April have now crossed $600M, underscoring the need for proactive threat detection.
