USD
Cross-Chain Services Paused After GatewayZEVM Vulnerability
TL;DR
- ZetaChain said user wallets were not affected.
- The exploit hit internal team wallets through GatewayZEVM.
- Cross-chain services were paused while the attack vector was blocked.
We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!
Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.
ZetaChain contained a smart contract exploit on April 28, 2026, after a vulnerability in its GatewayZEVM contract allowed an attacker to drain funds from internal team wallets, with user wallets not affected.
The exploit targeted ZetaChain’s cross-chain messaging system rather than the ZETA token itself. ZetaChain developers said the incident “impacted the internal ZetaChain team wallets only,” and the latest confirmed status showed the attack vector had been blocked after cross-chain services were paused.
GatewayZEVM Bug Enabled Fraudulent Cross-Chain Calls
SlowMist identified the core issue as a vulnerability in GatewayZEVM’s call function, where missing access control and input validation allowed arbitrary users to invoke cross-chain calls. The attacker used that gap to create a malicious call on ZetaChain that emitted a fraudulent cross-chain event.
ZetaChain’s relayer treated the fraudulent event as valid and executed the call on the destination chain. That execution sent real funds without sufficient backing, allowing the attacker to siphon assets through the cross-chain transaction path rather than by directly compromising user wallets.
Only internal transfers on ZetaChain remained available during the response window. The identified funds were not reported as frozen or tagged, and the attacker was not reported to have traded or sold ZETA as part of the incident.
ZETA traded around $0.054 after the exploit, remaining in its usual range despite the security incident. The token was already more than 96% below its launch-era value.
Small Losses Still Exposed Cross-Chain Risk
ZetaChain is a public Layer 1 blockchain compatible with the Cosmos ecosystem and tied to the OmniChain model. Its applications are designed to execute cross-chain transfers through dedicated smart contracts, making relayer trust and event validation central to the system’s security model.
ZetaChain’s DeFi footprint was reported as under $1 million in smart-contract value after the October 2025 market crash. Network activity was also described as extremely low, with only a handful of daily users and about $8 in daily fees.
The wider exploit backdrop remained severe. DeFiLlama data showed more than $624 million lost to hacks and exploits during April 2026, the highest monthly level since February 2025.
FAQ
Were ZetaChain user wallets affected?
No. ZetaChain said the exploit affected internal team wallets only.
What contract was involved?
The exploit centered on the GatewayZEVM contract.
Was ZETA sold by the attacker?
No attacker sale or trade of ZETA was reported.
What remained unresolved?
The funds were not reported as frozen or tagged.
This article has been refined and enhanced by ChatGPT.
