ZetaChain Exploit Reveals Ignored Bug Report Behind $334K Loss

Last updated: April 29, 2026

Cryptocurrency trading is speculative and your capital is at risk when you trade. We may earn affiliate commissions from some of the products on this page - at no extra cost to you.

ZetaChain Exploit Reveals Ignored Bug Report Behind $334K Loss

Highlights:

The ZetaChain exploit has been traced to a missed bug report that later enabled a $334K drain from internal wallets.
The gateway design allowed attackers to combine flaws and move funds across multiple chains without additional approvals.
The exploit adds to the rising DeFi incidents targeting approval and contract weaknesses.

ZetaChain said an attacker used a previously reported vulnerability to drain about $333,868 on April 26 from its GatewayEVM system. ZetaChain published a post-mortem on Wednesday explaining how the attacker executed the exploit. The attacker targeted the GatewayEVM contract within ZetaChain’s cross-chain messaging pipeline. The attacker drained funds from three ZetaChain-controlled wallets between 12:51 UTC and 23:00 UTC.

BREAKING: 🚨 ZetaChain identifies cross-chain messaging loophole as root cause of exploit that drained $333,868 from team wallets through three combined vulnerabilities.

— BlockAI News (@BlockAI_News) April 29, 2026

ZetaChain said a security researcher had reported the vulnerability earlier through its bug bounty program. The team reviewed the submission and classified the issue as intended behavior. That decision left the GatewayEVM contract exposed before the attack. The attacker later used the same flaw to trigger token transfers from approved wallets.

Users on X questioned why ZetaChain dismissed the bug report. One user said, “This bug was reported, and they simply ignored it.” The user added that some protocols fail to reward valid findings and react only after losses occur.

This bug was reported and they simply ignored it. That's how bug bounty programs work with these protocols currently; they incentivize losses for the protocol, the TVL, and the user's balance instead of paying the researcher for discovering and fixing the bug.

— Zero cool (@cr4shls0v3rr1d3) April 29, 2026

ZetaChain disclosed the incident on April 27 after detecting suspicious transactions. The team paused all cross-chain operations on the same day to stop further transfers. Engineers blocked the exploit path and began analyzing the combined flaws. ZetaChain confirmed that the attacker did not access user funds and only drained internal wallets. The post-mortem identified the GatewayEVM contract and messaging pipeline as the entry points used in the exploit.

How Gateway Design Gaps Enabled Multi-Chain Drain

ZetaChain said the attacker combined three design flaws to execute the exploit across multiple chains. Each flaw appeared limited during testing, but enabled full access when combined.

The GatewayEVM contract allowed external users to send cross-chain instructions without strict permission checks. The receiving contract executed most commands and accepted functions such as transferFrom. Wallets that had interacted with the gateway retained unlimited token approvals from earlier deposits.

These approvals allowed the contract to move tokens without fresh authorization. The attacker used these permissions to transfer funds from affected wallets. Each transaction instructed the gateway to call transferFrom and move tokens to the attacker’s address. The contract executed these instructions and completed the transfers.

The attacker executed nine transactions across Ethereum, Arbitrum, Base, and BNB Smart Chain. The attacker drained USDC and USDT from the wallets and swapped the assets into ETH through decentralized exchanges. The exploiter consolidated about 139 ETH into a single wallet after swaps.

ZetaChain said the GatewayEVM contract serves as the main entry point for cross-chain activity. This structure allowed the attacker to affect multiple networks through one contract.

ZetaChain Exploit Shows Planned Attack and Response

ZetaChain said the attacker prepared the exploit over several days before executing the drain on April 26. The attacker funded the wallet through Tornado Cash three days before the exploit. The attacker deployed a custom drainer contract to support execution.

The exploiter used address poisoning to interfere with transaction tracking. The exploiter sent dust transfers to insert malicious addresses into wallet histories. ZetaChain removed unlimited token approvals from its deposit system and introduced exact-amount approvals. Engineers are reviewing the system before restoring cross-chain transactions. ZetaChain advised users who interacted with the gateway to revoke ERC-20 token allowances.

Data shows that at least 11 DeFi exploits occurred within ten days. A separate exploit involving Kelp DAO exposed similar risks in cross-chain infrastructure.

Author

Austin Mwendia

Austin Mwendia is a passionate crypto journalist with three years of experience. He has contributed to various media outlets, covering blockchain technology, market analysis, and financial trends. He is committed to educating readers and expanding the adoption of blockchain and decentralized finance.

View full profile ›

ℹ️About Crypto2Community's Editorial Process

Crypto2Community's editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict editorial policy and sourcing standards, and each page undergoes diligent review by our team of top crypto industry experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.