Overview and Mitigation of X-Bridge Exploit

On February 6, 2025, Zilliqa identified an exploit on X-Bridge that leveraged a vulnerability in one of the platform’s recently introduced token manager contracts. 

This exploit enabled the attacker to mint the Zilliqa-bridged versions of native currencies on Ethereum and Binance Smart Chain (BSC) without locking the corresponding amount of assets on these networks.

Through this vulnerability, the attacker generated 531 Zilliqa-bridged ETH (zETH) and 2.2133 Zilliqa-bridged BNB (zBNB). The following transactions were executed following this breach:

• 123.116 zETH was bridged back through X-Bridge to the Ethereum network.
• 2.2133 zBNB was bridged back through X-Bridge to BSC.
• The attacker sold 140.3780 zETH on ZilSwap for USDT $42,000 and 0.0718 zWBTC, which was subsequently bridged back to Ethereum and liquidated.

Upon discovery of this exploit, Zilliqa took immediate action to mitigate further risks:

• The bridge relayer was shut down and all related token manager contracts were paused.
• Switcheo, the operator of ZilSwap, was promptly notified of the issue affecting its zETH pool.
• Zilliqa issued a public notice announcing the exploit and warned users against trading zETH on ZilSwap. A security warning was also issued via the X-Bridge UI.
• Switcheo disabled zETH pools on ZilSwap.

Corrective actions and mitigation

Zilliqa is implementing a number of corrective actions to bring X-Bridge securely back online and mitigate the effect of the exploited zETH and zBNB contracts.

Firstly, the affected zETH token will be deprecated, and a new zETH token will be deployed, retaining legitimate token balances as of Zilliqa mainnet block number 4465720 (generated at 08:49 on February 18, 2025) while removing the invalid tokens associated with the attacker.

This means that those who didn’t participate in the attack, and who didn’t buy zETH after the announcement of the incident (published at 22:48 on February 6, 2025) will not be affected, as their new zETH token balance will be prepopulated with their old zETH balance at this block number.

Those who purchased zETH after the exploit occurred but before the issue with the zETH pool on ZilSwap was announced (published at 00:06 on February 7, 2025) should reach out to the Zilliqa team via [email protected] with their transaction details if there is an issue with their zETH balance.

Operating X-Bridge in a restricted capacity

Implemented for compatibility with the legacy Zilliqa network as a result of ZilBridge being decommissioned, X-Bridge was extended to allow bridging of tokens formerly listed on ZilBridge to supported networks ahead of its migration to the robust cross-chain infrastructure introduced in Zilliqa 2.0.

Following this exploit, the affected X-Bridge contracts will be upgraded to enforce stricter balance checks before minting bridged assets, preventing unauthorised token creation.

In the short term, X-Bridge will be brought back online in a limited capacity, operating under restrictions to ensure the security and reliability of the infrastructure. 

This means it may take some time for bridge transactions to be processed, and users should expect delays as we work to restore full functionality in a secure environment. A small number of legitimate X-Bridge transactions are currently stuck and have not been processed. These will be processed once X-Bridge returns to operation.

We expect X-Bridge to resume operation in the near future, and we will notify users once the platform is reactivated.

Zilliqa remains committed to the security and integrity of its ecosystem. We appreciate the patience and support of our community as we work to mitigate the effect of this exploit and ensure robust protection against any future vulnerabilities.

For further updates on the return of X-Bridge to limited operations, please stay tuned to our official channels and follow us on X.