A researcher flagged the exact vulnerability that drained ZetaChain’s gateway wallets. The team marked it as an intended behavior and closed the ticket.
Three days later, an attacker funded a wallet via Tornado Cash, deployed a purpose-built drainer contract on ZetaChain, and ran an address poisoning campaign before executing the attack. The exploit lasted from 12:51 to 23:00 UTC on April 26 that included nine cross-chain transactions across Ethereum, Arbitrum, Base, and BSC. By the end of it, about 139 ETH ~$333,868 had been drained into a single profits wallet.
The execution and idea behind the attack were straightforward once you understood how three separate design flaws were stacked on ZetaChain. ZetaChain's GatewayZEVM.call() had no access control and no input validation, meaning any external address could trigger cross-chain calls and point them anywhere. On the receiving end, GatewayEVM.execute() would run almost any command on any contract, with a blocklist so narrow it didn't catch basic token transfer functions. The third flaw capped the whole execution as wallets that had previously interacted with the gateway left unlimited token spending approvals in place that were never revoked.
The attacker combined three unknown weaknesses, and told the gateway to transfer tokens from the victims wallets to their own, and the contract complied.
ZetaChain confirmed in its post-mortem that the bug had been submitted through its bounty program and dismissed. It also confirmed this was not opportunistic, that the pre-attack preparation was deliberate and staged. The fix now presented permanently removes the arbitrary call functionality. Unlimited token approvals in the deposit flow have been replaced with exact-amount approvals per transaction.
No user funds were lost, only internal team wallets seem to have taken the hit. ZETA dropped 4.8% to roughly $0.054 in the 24 hours following the disclosure.
This is the second significant cross-chain exploit in April alone, following the $292 million Kelp DAO breach. April 2026 has now surpassed $600 million in total DeFi losses, the worst month since the $1.4 billion Bybit hack in February 2025. The pattern is consistent: bridge and gateway contracts remain the most reliably exploitable layer in crypto infrastructure, and the industry keeps learning the same lesson late.