ZetaChain GatewayEVM Exploit — April 27, 2026 Post-Mortem (Aggregated)
The Incident
On April 27, 2026, ZetaChain suffered a security exploit targeting its GatewayEVM smart contract — the main entry point for all cross-chain interactions on the network. Total drain was $333,868 across four chains. ZetaChain repeatedly emphasized that only internal team-controlled wallets were impacted and no user funds were affected. Cross-chain transactions were paused as a precaution.
How the Attack Worked
SlowMist identified the root cause as missing access control and input validation in the call function of the GatewayEVM contract. Specifically, the contract's arbitrary-call code path allowed any caller to trigger cross-chain calls without authorization checks, making it possible to forge cross-chain messages by impersonating arbitrary source addresses. The attacker used this primitive to drain funds from internal ZetaChain team wallets across Ethereum, Arbitrum, Base, BNB Smart Chain, Polygon, and Avalanche.
The Core Technical Issue
The vulnerability is a classic missing-authorization flaw in a privileged cross-chain primitive: the call function trusted the source-address parameter from the caller without verifying it against the actual on-chain origin or signed cross-chain message. Once an attacker could specify any source address, they could impersonate ZetaChain's own team wallets (or any other authorized address) and direct the GatewayEVM to forward funds on their behalf.
Scope of Loss
• $333,868 total across 6 chains affected (Ethereum, Arbitrum, Base, BSC, Polygon, Avalanche).
• Loss limited to ZetaChain team-internal wallets — not user deposits, not LP funds, not relayer collateral.
Response
• Cross-chain transactions paused on ZetaChain mainnet immediately after detection.
• A zetaclient patch was developed, tested on Testnet, then rolled out to mainnet operator nodes.
• The patch permanently disables the arbitrary call code path that made the exploit possible.
• ZetaChain confirmed user funds remained unaffected and provided regular status updates via X.
Why This Matters
GatewayEVM is the canonical entry point for ZetaChain's universal cross-chain messaging — a missing-auth bug here is structurally severe even though the actual loss was contained to team wallets by accident of how those wallets happened to be the most-funded targets. A more sophisticated attacker could have used the same primitive against larger user-facing contracts on connected chains.