ZetaChain has paused all cross-chain transfers following an attack exploiting a vulnerability in its GatewayEVM contract. The exploit hit only internal team wallets and did not touch user funds or the ZETA token supply, according to the project’s initial statements.
On April 27, the team discovered the assault and promptly blocked the exploit vector. The overall losses associated with those internal wallets are estimated by analytics platforms and security researchers to be around $300,000, or roughly 139 ETH.
What Went Wrong in the GatewayEVM Contract
The attack targeted ZetaChain’s GatewayEVM, a core smart contract that routes messages and assets across different EVM-compatible chains. Security firm SlowMist and other researchers say the root vulnerability lies in the contract’s call function, which lacked proper access controls and input validation.
Because of this weakness, a malicious user could trigger arbitrary cross-chain calls and trick the system into approving operations it should have blocked.
One analysis describes how the attacker used a custom exploit contract to emit a “Called” event that activated ZetaChain’s threshold signature scheme, causing validators to sign off on unauthorized transactions.
ZetaChain’s Response and User Safety
Once the team confirmed the exploit, it halted cross-chain transactions on mainnet as a precaution while it investigated and drafted a fix. ZetaChain’s status page and exchange notices show that cross-chain functions remained paused for hours after the incident, even as the direct attack vector closed.
Security firm Blockaid also issued an alert urging users to revoke any prior approvals for the GatewayEVM contract across Ethereum, Arbitrum, Base, and other EVM networks. Despite the disruption, all major reports agree that regular user assets and liquidity pools remained safe, while only internal wallets suffered direct losses.
After their internal study is over, ZetaChain has committed to providing a comprehensive postmortem. The team expects the paper to describe how the vulnerability evaded audits, how the attacker designed the exploit, and what new safeguards the project will add to its cross-chain architecture.
The incident adds to a growing list of bridge and cross-chain contract hacks that have hit DeFi recently. For now, ZetaChain’s priority is to restore cross-chain functionality safely, reassure users that their funds remain secure, and tighten security around any contracts that handle multi-chain messaging and asset flows.
READ MORE: Pudgy Penguins (PENGU) Eyes Breakout After Paxos Partnership
