ZetaChain breach tests cross-chain safeguards

ZetaChain has paused cross-chain transactions after a smart contract attack targeted its GatewayEVM infrastructure, adding fresh pressure on interoperability projects that move assets and messages across multiple blockchains.

The incident was flagged on April 27 when Blockaid warned users about an active exploit involving ZetaChain cross-chain contracts and urged anyone with approvals to GatewayEVM contracts on Ethereum, Arbitrum, Base and other EVM-compatible chains to revoke permissions immediately. ZetaChain later said the attack affected only internal team wallets, that no user funds had been impacted, and that the attack vector had been blocked.

The project has kept cross-chain activity suspended while it investigates the breach and prepares a detailed post-mortem. The pause is significant because ZetaChain’s value proposition rests on allowing decentralised applications to operate across networks, including EVM chains and non-EVM ecosystems. A disruption to that layer directly affects transfers, routing and smart contract calls that depend on its gateway architecture.

Early blockchain-security analysis pointed to a weakness in the GatewayZEVM or GatewayEVM call flow, with the most serious concern involving missing access controls and insufficient input validation. Such a flaw could allow an unauthorised party to trigger cross-chain calls and execute operations through relayers on connected networks. The distinction between GatewayEVM and GatewayZEVM matters technically, but the broader issue is clear: a core routing component in the cross-chain system became the focal point of the attack.

Estimated losses have been placed around $300,000 to $318,000, largely involving stablecoins such as USDC and USDT. Security reviews tracking on-chain movements indicated that funds were drained across several destination chains, including Ethereum, BNB Chain, Base and Arbitrum. The amounts involved are modest compared with the largest bridge failures of the past several years, but the attack carries outsized significance because it struck a system designed to provide secure interoperability across blockchain networks.

ZetaChain’s immediate public position has been that user assets were not compromised. The project said the affected wallets belonged to the team and that no further funds were at risk after the attack path was blocked. That assurance may limit panic among users, but it does not remove the reputational challenge for a protocol whose main appeal is secure cross-chain execution.

GatewayEVM serves as a key entry point between external EVM-compatible chains and applications built on ZetaChain. It helps process cross-chain messages and token movements, making it one of the most sensitive parts of the network’s architecture. Any flaw in such a component can have cascading consequences because permissions, relayers, contracts and user approvals may all interact across chains.

Blockaid’s advice to revoke approvals was aimed at reducing residual risk. Token approvals allow smart contracts to move assets from a user’s wallet within authorised limits. When a contract is suspected of being vulnerable, revoking those permissions becomes a basic containment step, even where there is no confirmed loss of user funds. The warning also underlined the growing role of real-time security firms in the crypto market, where detection and public alerts can move faster than formal project disclosures.

The attack comes during a difficult month for decentralised finance security. Industry tracking has placed April losses from hacks and exploits at well above half a billion dollars, with cross-chain and liquidity-linked protocols among the areas drawing close scrutiny. Bridges and interoperability layers remain attractive targets because they often control concentrated pools of value and rely on complex communication between chains.

ZetaChain launched as a Layer 1 blockchain focused on omnichain applications, aiming to connect assets and smart contracts across networks such as Bitcoin, Ethereum and other major ecosystems. Its model is part of a broader industry shift towards applications that are not confined to a single blockchain. That ambition, however, has also increased the technical burden on security teams because cross-chain systems must validate activity across environments with different assumptions, consensus models and execution rules.