Overview and Mitigation of X-Bridge Exploit

Update: New zETH and zBNB Contracts Deployed

In line with the mitigation strategy following the recent X-Bridge exploit, new zETH and zBNB tokens have been deployed with the following contract addresses, and the compromised tokens have been deprecated:

• zETH Contract: zil1gswgvqhqcuz8lzy2d2xy384fp3hsqme9tzdzmr
• zBNB Contract: zil1qswyc0k0n2gkqcaxqpz4kzve9cqg8yh5u49wza

These tokens retain legitimate token balances as of Zilliqa mainnet block number 4465720 (zEth) and 4474090 (zBNB) while removing invalid tokens associated with the attacker.

The balances of those who did not participate in the attack or buy zETH/zBNB after the incident should not be affected, as their token balance will be prepopulated with their old balance at this block number. 

Users will be able to transact and bridge their new zETH and zBNB tokens as normal. In the coming days, the new contract addresses for zETH and zBNB will be added to X-Bridge and support for bridging these tokens will be restored.

If you purchased or transacted zETH or zBNB after the exploit and there is an issue with your token balance, or you were providing liquidity to a zETH or zBNB pool and believe your position was affected by the exploit, please reach out to the Zilliqa team via [email protected] with the relevant transaction details.

The Zilliqa team will be accepting and evaluating these enquiries until 17:00 GMT on Tuesday, March 18th, 2025.

On February 6, 2025, Zilliqa identified an exploit on X-Bridge that leveraged a vulnerability in one of the platform’s recently introduced token manager contracts. 

This exploit enabled the attacker to mint the Zilliqa-bridged versions of native currencies on Ethereum and Binance Smart Chain (BSC) without locking the corresponding amount of assets on these networks.

Through this vulnerability, the attacker generated 531 Zilliqa-bridged ETH (zETH) and 2.2133 Zilliqa-bridged BNB (zBNB). The following transactions were executed following this breach:

• 123.116 zETH was bridged back through X-Bridge to the Ethereum network.
• 2.2133 zBNB was bridged back through X-Bridge to BSC.
• The attacker sold 140.3780 zETH on ZilSwap for USDT $42,000 and 0.0718 zWBTC, which was subsequently bridged back to Ethereum and liquidated.

Upon discovery of this exploit, Zilliqa took immediate action to mitigate further risks:

• The bridge relayer was shut down and all related token manager contracts were paused.
• Switcheo, the operator of ZilSwap, was promptly notified of the issue affecting its zETH pool.
• Zilliqa issued a public notice announcing the exploit and warned users against trading zETH on ZilSwap. A security warning was also issued via the X-Bridge UI.
• Switcheo disabled zETH pools on ZilSwap.

Corrective actions and mitigation

Zilliqa is implementing a number of corrective actions to bring X-Bridge securely back online and mitigate the effect of the exploited zETH and zBNB contracts.

Firstly, the affected zETH and zBNB tokens will be deprecated, and a new token contracts will be deployed, retaining legitimate token balances as of Zilliqa mainnet block number 4465720 for zETH and 4474090 for zBNB while removing the invalid tokens associated with the attacker.

This means that those who didn’t participate in the attack, and who didn’t buy zETH/zBNB after the announcement of the incident (published at 22:48 on February 6, 2025) will not be affected, as their new token balance will be prepopulated with their old balance at this block number.

Those who purchased zETH/zBNB after the exploit occurred but before the issue with the zETH pool on ZilSwap was announced (published at 00:06 on February 7, 2025) should reach out to the Zilliqa team via [email protected] with their transaction details if there is an issue with their balance.

Operating X-Bridge in a restricted capacity

Implemented for compatibility with the legacy Zilliqa network as a result of ZilBridge being decommissioned, X-Bridge was extended to allow bridging of tokens formerly listed on ZilBridge to supported networks ahead of its migration to the robust cross-chain infrastructure introduced in Zilliqa 2.0.

Following this exploit, the affected X-Bridge contracts will be upgraded to enforce stricter balance checks before minting bridged assets, preventing unauthorised token creation.

In the short term, X-Bridge will be brought back online in a limited capacity, operating under restrictions to ensure the security and reliability of the infrastructure. 

This means it may take some time for bridge transactions to be processed, and users should expect delays as we work to restore full functionality in a secure environment. A small number of legitimate X-Bridge transactions are currently stuck and have not been processed. These will be processed once X-Bridge returns to operation.

We expect X-Bridge to resume operation in the near future, and we will notify users once the platform is reactivated.

Zilliqa remains committed to the security and integrity of its ecosystem. We appreciate the patience and support of our community as we work to mitigate the effect of this exploit and ensure robust protection against any future vulnerabilities.

For further updates on the return of X-Bridge to limited operations, please stay tuned to our official channels and follow us on X.