Zora BaseSettler BaseSettlerMetaTxn Mistakenly Claimable

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Zora Network Logo/Homepage

Zora, an onchain social network aimed at empowering creators through decentralized tools and the $ZORA token, suffered a smart contract vulnerability due to human error. The team mistakenly set claimable tokens for contracts that could execute arbitrary calls, which an attacker exploited to drain approximately $140.8K in tokens. Despite the breach, Zora has made no public acknowledgment of the error on their Twitter/X, and there is no indication of recovered funds or an ongoing investigation, potentially leaving the situation unresolved, unexplained, and any affected users in the dark.[1][2][3][4][5][6][7][8][9]

About Zora Network

Zora is an onchain social network that reimagines how people create, connect, and earn online using blockchain technology. At its core, Zora provides a platform where users can share content—from art to photography to thoughts and ideas—while leveraging the transparency and ownership offered by crypto. This system enables a new type of digital interaction where creators can directly monetize their work and build communities without relying on traditional intermediaries.

The platform supports a wide range of creative expression, from generated visuals and photography to written reflections on crypto and internet culture. Zora promotes a more equitable digital economy by enabling creators and collectors to participate in secondary markets onchain. Its acquisition of Mint Fun and launch of the \$ZORA token further emphasize its commitment to building a decentralized and user-first ecosystem.

Zora is driven by a vision to "build pure internet"—a borderless, internet-native space for collaboration and creation. With a globally distributed team and no centralized headquarters, Zora embodies the principles of web3 decentralization. Through its tools, writing, and community, it aims to empower individuals to rediscover the internet’s potential and shift power back into the hands of creators.

The Reality

Unfortunately, even the best smart contract can still allow for some degree of human error.

What Happened

Zora, a decentralized social network, suffered a $140.8K exploit due to a smart contract misconfiguration.

Key Event Timeline - Zora BaseSettler BaseSettlerMetaTxn Mistakenly Claimable
Date Event Description
April 22nd, 2025 11:40:11 PM MDT The Latest Attack Transaction The transaction which TenArmor refers to as "[t]he latest attack t[ransaction]".
April 24th, 2025 7:32:03 AM MDT BaseSettler Contract Allocations The transaction which TenArmor refers to as "setAllocations for the BaseSettler contract".
April 24th, 2025 10:24:57 PM MDT Attack Transaction The transaction which TenArmor refers to as simply an "[a]ttack transaction".
April 25th, 2025 12:09:00 AM MDT TenArmor Tweet Posted TenArmor makes a post about the incident, reporting the total loss, the mechanism behind it, and multiple related transactions.

Technical Details

"The root cause is that the Zora team mistakenly set claimable tokens for the BaseSettler and BaseSettlerMetaTxn contracts via the setAllocationsWithSignature function of the ZoraTokenCommunityClaim contract.

However, these settler contracts can be leveraged to execute arbitrary calls.

The attacker crafted calls to the BaseSettler contract and executed the claim function of the ZoraTokenCommunityClaim contract, ultimately obtaining Zora tokens."

Total Amount Lost

Losses were reported as $140.8K by TenArmor.

The total amount lost has been estimated at $141,000 USD.

Immediate Reactions

There doesn't appear to be any mention of the situation on Zora's public Twitter/X.

Ultimate Outcome

Nothing about this case has ever appeared on the Zora's Twitter/X. It is unclear if they have done anything to anyone who may have been affected.

Total Amount Recovered

There is no indication that any funds have been recovered.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

It is unclear if there is any further investigation ongoing.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "Our system has detected multiple suspicious attacks involving #Zora @zora on #BASE, resulting in an approximately loss of $140.8K." - Twitter/X (Accessed Aug 5, 2025)
  2. The Latest Attack Transaction - BaseScan (Accessed Aug 5, 2025)
  3. setAllocations for the BaseSettler Contract - BaseScan (Accessed Aug 5, 2025)
  4. An Attack Transaction - BaseScan (Accessed Aug 5, 2025)
  5. Zora.co Twitter/X (Accessed Aug 5, 2025)
  6. Zora.co Homepage (Accessed Aug 5, 2025)
  7. Zora.co About Page (Accessed Aug 5, 2025)
  8. Base Network - "The (New) Creator Economy. Find out what attention is worth with @zora. Every post and profile on Zora is a coin. When people trade them, creators earn." - Twitter/X (Accessed Aug 5, 2025)
  9. What is ZORA? Complete Guide to ZORA Network’s Revolutionary Memecoin ($ZORA) - Mexc Blog (Accessed Aug 5, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Zora_BaseSettler_BaseSettlerMetaTxn_Mistakenly_Claimable&oldid=6892"