ZetaChain disclosed that a cross-chain messaging flaw enabled a $333,868 exploit affecting internal wallets. The incident highlights persistent security risks in interoperability layers that connect multiple blockchain networks.
The attack occurred on April 24 and targeted the network’s GatewayEVM contract, which routes cross-chain interactions, according to ZetaChain’s post-mortem. Losses were limited to three internal wallets across nine transactions spanning Ethereum, Arbitrum, Base, and BNB Chain, primarily in USD Coin (USDC) and Tether (USDT). The protocol confirmed no user funds were impacted.
How Did Cross-Chain Permissions Enable The Exploit?
The vulnerability stemmed from a combination of design choices within the messaging system. Arbitrary call requests faced minimal restrictions, while the receiving contract accepted broad command types such as “transferFrom.” At the same time, previously granted unlimited token approvals through GatewayEVM deposits remained active, creating a pathway for unauthorized transfers.
Security data suggests cross-chain infrastructure is increasingly targeted, with at least 11 decentralized finance (DeFi) exploits recorded in the past 10 days, according to DeFiLlama. The ZetaChain incident follows a significantly larger $292 million exploit involving Kelp DAO’s LayerZero-based bridge, underscoring how interoperability layers concentrate risk compared to single-chain protocols.
“This was not an opportunistic attack,” the ZetaChain team stated, noting the exploiter prepared extensively before execution.
The attacker funded their wallet through Tornado Cash and deployed address poisoning tactics using a vanity address, before converting stolen stablecoins into Ether (ETH).
ZetaChain has since patched the vulnerability and paused cross-chain operations pending further audits and upgrades. The team advised users to revoke outstanding ERC-20 approvals linked to gateway contracts, as scrutiny now shifts to whether additional weaknesses emerge before functionality is restored.
