ZetaChain, the interoperability-focused Layer 1 network that markets itself as a “universal blockchain” bridging EVM chains, Bitcoin, Solana, Sui, and TON, has published a detailed post-mortem breaking down the April 24 exploit that hit its GatewayEVM smart contract.
The disclosure, released on Tuesday, paints the picture of a calculated, well-funded attacker who spent days preparing before executing a surgical drain of internal team wallets worth $333,868 in stablecoins.
No user funds were lost in the incident. But what the report reveals about the root cause raises pointed questions about access control practices and approval hygiene at one of crypto’s most ambitious interoperability projects.
What happened, and when
The exploit window ran from approximately 12:51 UTC to 23:00 UTC on April 26, with ZetaChain disclosing the incident publicly the following day on April 27. The team immediately paused all cross-chain transactions on the mainnet and blocked the attack vector to prevent further losses.
According to the post-mortem, the attacker drained a total of $333,868, primarily in USDC and USDT, through 9 separate cross-chain transactions targeting three internal team-controlled wallets. The stolen funds were spread across four destination chains: Ethereum, Arbitrum, Base, and BNB Smart Chain (BSC).
After executing the drains, the attacker swapped all stolen stablecoins for ETH through decentralized exchanges and consolidated the proceeds. According to an independent analysis by SolidityScan, the attacker ultimately parked roughly 139.01 ETH (approximately $318,977 after DEX slippage and bridging fees) into a single profits wallet. The roughly $15,000 gap between the face value of drained tokens and the final ETH amount reflects swap slippage and cross-chain bridging costs.
The root cause: three defects, one exploit
The post-mortem identifies a chain of three independent defects across different layers of ZetaChain’s cross-chain architecture. What makes this exploit especially notable is that removing any single one of the three flaws would have been enough to prevent the attack entirely. The attacker needed all three to work in sequence.
The first defect sat in the GatewayZEVM.call() function on ZetaChain itself. This function, the entry point for initiating cross-chain calls, had no access control and no input validation. It was completely open. Any address, including a freshly deployed exploit contract, could invoke it.
The only checks in place were cosmetic: a minimum gas limit and a maximum message size. There were no restrictions on which destination contract could be targeted, no constraints on what message payload could be passed, and the IsArbitraryCall flag was taken directly from the caller’s input without verification.
When triggered, this function emitted a Called event that ZetaChain’s threshold signature scheme (TSS) validators treated as a legitimate cross-chain message, signing off on the resulting destination-chain transaction.
The second defect resided in the GatewayEVM.execute() function on the receiving end. This contract on Ethereum and other connected chains accepted most incoming commands routed through the TSS, including arbitrary external calls. Critically, this meant it would process transferFrom instructions.
Because the GatewayEVM contract itself was the caller of these instructions, and because it already held token approvals from depositors, the contract effectively became the instrument through which the attacker moved funds.
The third defect was not a code bug at all but a trust assumption baked into how ZetaChain’s deposit flow worked. Users (in this case, ZetaChain’s own internal team wallets) who had previously deposited tokens through GatewayEVM.deposit() had granted unlimited ERC-20 spending approvals to the gateway contract. Those approvals were never revoked.
The attacker simply leveraged these existing, open-ended permissions to instruct the gateway contract to transfer tokens out of the victim wallets on its behalf.
In short, the attacker deployed an exploit contract on ZetaChain, used the unauthenticated call() function to emit a spoofed cross-chain event, tricked the TSS validators into co-signing the malicious transaction, and then had the GatewayEVM contract itself execute transferFrom calls against wallets that had standing approvals. The protocol’s own infrastructure became the weapon.
Blockchain security firm SlowMist independently confirmed the root cause shortly after the incident became public, flagging the missing access controls as the core vulnerability.
A “highly prepared” attacker
ZetaChain’s post-mortem is explicit in categorizing this as a premeditated, well-resourced operation rather than an opportunistic grab.
The attacker funded their wallet through Tornado Cash approximately three days before the exploit, deliberately obscuring the source of funds. This preparation period suggests the exploiter spent considerable time studying ZetaChain’s contract architecture and identifying the specific chain of vulnerabilities before executing.
In addition to laundering the funding trail, the attacker also launched a brute-force vanity address attack, generating a wallet address designed to visually mimic one of the victim wallets. This is a classic address poisoning technique, typically used to confuse on-chain observers and complicate attribution.
In this context, it appears to have been another layer of obfuscation designed to buy time and cover tracks during the post-exploit phase.
Once the drains were complete, the attacker moved quickly, converting all stolen USDC and USDT to ETH across multiple DEXs before consolidating to the final profits wallet.
The response and what comes next
ZetaChain says it has already deployed a patch to the mainnet that eliminates the vulnerability in the GatewayZEVM.call() function. The attack vector has been blocked, and no further funds can be drained through the same mechanism.
However, cross-chain transaction functionality, which was paused within hours of the exploit being detected, remains suspended. ZetaChain has stated it will not re-enable cross-chain operations until additional upgrades and security reviews are completed. As of this writing, the protocol’s status page shows all other mainnet and testnet components operating normally, with only the cross-chain transaction layer remaining paused.
The team has also issued a precautionary advisory urging all users who have previously interacted with ZetaChain’s gateway contracts to revoke any outstanding ERC-20 token allowances granted to the gateway addresses.
Market reaction
ZETA, ZetaChain’s native token, dropped between 4.8% and 5.7% in the 24 hours following the exploit disclosure, trading near $0.054 with a market capitalization of roughly $73 million. Trading volume spiked to around $5.8 million in the same period.
Despite the sell-off, data showed over $5.36 million worth of ZETA purchased on Kraken during the decline, suggesting some selective accumulation at lower levels.
ZetaChain’s mainnet originally went live in early 2024, and the network has since expanded into AI integration with the launch of ZetaChain 2.0 and its AI Portal in January 2026.
April’s brutal DeFi security landscape
The ZetaChain exploit, while relatively contained in dollar terms, arrives against the backdrop of what has become the worst month for DeFi security incidents since the $1.4 billion Bybit breach in February 2025.
The largest incident this month was the $292 million exploit of Kelp DAO’s LayerZero-powered cross-chain bridge on April 18. The attacker exploited a 1-of-1 verifier configuration to drain 116,500 rsETH from the Ethereum mainnet escrow contract.
Multiple cybersecurity firms later attributed that breach to North Korea’s Lazarus Group. The fallout cascaded through DeFi, creating nearly $190 million in bad debt on Aave and triggering the formation of “DeFi United,” an industry coalition that has since raised over $300 million in ETH to cover the damage.
Solana-based decentralized exchange Drift Protocol also suffered a $285 million exploit earlier in April. Combined with the Kelp DAO breach, those two attacks alone account for roughly 95% of the month’s total hack losses.
DefiLlama data shows at least 11 separate exploits targeting DeFi protocols in the past 10 days alone. At a broader level, DeFi has recorded 47 incidents in the first four and a half months of 2026, compared with 28 over the same period last year, a 68% year-over-year increase in attack frequency. The cumulative value hacked across the crypto industry now stands at $16.497 billion historically, with bridge exploits accounting for $2.908 billion of that total.
Cross-chain infrastructure continues to sit at the top of the target list. The Ronin ($625 million), Wormhole ($320 million), and Nomad ($190 million) exploits of previous years already demonstrated the concentrated risk that bridges carry. The pattern of attacks this April has only intensified calls for stricter audit standards, multi-verifier configurations, and time-delayed withdrawal mechanisms for large cross-chain transfers.
For ZetaChain, the immediate priority is completing the security review and safely reopening cross-chain operations. The upcoming weeks will determine whether the team can rebuild confidence in its omnichain architecture or whether this incident, however small in comparison to the month’s headline breaches, becomes a longer-term trust liability.
Also Read: Syndicate Commons Bridge Falls Victim to a Fresh DeFi Exploit: ~$400K Stolen
