Layer 1 network ZetaChain said the April 24 exploit targeted a vulnerability in its cross-chain messaging pipeline.
On Monday, ZetaChain experienced an attack on the GatewayEVM contract, which serves as a unified entry point for cross-chain interactions between external networks and ZetaChain apps.
In a post-mortem published on Tuesday, ZetaChain reiterated that no user funds were lost from the attack, while only three internal team wallets were impacted. Total losses amounted to $333,868, comprising mainly USDC and USDT, across nine transactions on four chains — Ethereum, Arbitrum, Base, and BSC.
The report explained that the attacker took advantage of the interoperability-focused chain by aligning three issues in the cross-chain messaging system.
ZetaChain's cross-chain system allowed anyone to request "arbitrary calls" with minimum restrictions, while the GatewayEVM contract on the receiving end accepted most commands, including "transferFrom."
Lastly, users who had previously deposited tokens through "GatewayEVM.deposit()" had granted unlimited approvals to spend the tokens, which were never revoked. The attacker leveraged this loophole to drain the tokens from the wallets, ZetaChain explained.
"This was not an opportunistic attack," the team said. "The exploiter invested significant time and resources in preparation before executing."
ZetaChain noted that the attacker's wallet was funded through Tornado Cash around three days before the attack to deliberately mask the source of funds.
Additionally, the exploiter launched a brute-force attack on a vanity address mimicking a victim's wallet, a classic address poisoning technique likely used to further obfuscate malicious onchain activity.
Following the exploit, the attacker quickly swapped the stolen USDC and USDT for ETH.
ZetaChain said it has since deployed a patch to the mainnet to eliminate the vulnerability. Its cross-chain transaction functionality, which was paused shortly after the exploit, remains closed and will be re-enabled after upgrades and additional reviews are completed.
"As a precautionary measure, we recommend all users who have previously interacted with the ZetaChain gateway contracts revoke any outstanding ERC-20 token allowances granted to the gateway addresses listed above," ZetaChain said.
The attack on ZetaChain follows the exploit of the LayerZero-powered cross-chain bridge Kelp DAO, which has drained $292 million from the protocol. DefiLlama data shows that there have been at least 11 exploits targeting vulnerabilities in DeFi protocols in the past 10 days.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2026 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
