Apr 2025 - Zora BaseSettler BaseSettlerMetaTxn Mistakenly Claimable - $141k (Global)
Zora is an onchain social network that reimagines how people create, connect, and earn online using blockchain technology. At its core, Zora provides a platform where users can share content—from art to photography to thoughts and ideas—while leveraging the transparency and ownership offered by crypto. This system enables a new type of digital interaction where creators can directly monetize their work and build communities without relying on traditional intermediaries.
The platform supports a wide range of creative expression, from generated visuals and photography to written reflections on crypto and internet culture. Zora promotes a more equitable digital economy by enabling creators and collectors to participate in secondary markets onchain. Its acquisition of Mint Fun and launch of the \$ZORA token further emphasize its commitment to building a decentralized and user-first ecosystem.
Zora is driven by a vision to "build pure internet"—a borderless, internet-native space for collaboration and creation. With a globally distributed team and no centralized headquarters, Zora embodies the principles of web3 decentralization. Through its tools, writing, and community, it aims to empower individuals to rediscover the internet’s potential and shift power back into the hands of creators.
Unfortunately, even the best smart contract can still allow for some degree of human error.
"The root cause is that the Zora team mistakenly set claimable tokens for the BaseSettler and BaseSettlerMetaTxn contracts via the setAllocationsWithSignature function of the ZoraTokenCommunityClaim contract.
However, these settler contracts can be leveraged to execute arbitrary calls.
The attacker crafted calls to the BaseSettler contract and executed the claim function of the ZoraTokenCommunityClaim contract, ultimately obtaining Zora tokens."
Losses were reported as $140.8K by TenArmor.
There doesn't appear to be any mention of the situation on Zora's public Twitter/X.
Nothing about this case has ever appeared on the Zora's Twitter/X. It is unclear if they have done anything to anyone who may have been affected.
There is no indication that any funds have been recovered.
It is unclear if there is any further investigation ongoing.
Further Analysis
Zora, an onchain social network aimed at empowering creators through decentralized tools and the $ZORA token, suffered a smart contract vulnerability due to human error. The team mistakenly set claimable tokens for contracts that could execute arbitrary calls, which an attacker exploited to drain approximately $140.8K in tokens. Despite the breach, Zora has made no public acknowledgment of the error on their Twitter/X, and there is no indication of recovered funds or an ongoing investigation, potentially leaving the situation unresolved, unexplained, and any affected users in the dark.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
ACB Staking Reward Manipulation Spot Price Oracle Exploit > > < < Numa Money Collateral Loss via Flash Loan Price Manipulation
Sources/Further Reading
TenArmor - "Our system has detected multiple suspicious attacks involving #Zora @zora on #BASE, resulting in an approximately loss of $140.8K." - Twitter/X (Dec 31)
The Latest Attack Transaction - BaseScan (Dec 31)
setAllocations for the BaseSettler Contract - BaseScan (Dec 31)
An Attack Transaction - BaseScan (Dec 31)
Zora.co Twitter/X (Dec 31)
Zora.co Homepage (Dec 31)
Zora.co About Page (Dec 31)
Base Network - "The (New) Creator Economy. Find out what attention is worth with @zora. Every post and profile on Zora is a coin. When people trade them, creators earn." - Twitter/X (Dec 31)
What is ZORA? Complete Guide to ZORA Network’s Revolutionary Memecoin ($ZORA) - Mexc Blog (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|