ZetaChain dismissed bug report that could have prevented $334K

ZetaChain disclosed that a vulnerability in its GatewayEVM cross‑chain gateway allowed an attacker to drain roughly $333,868 from internal team wallets, while user funds remained unaffected. The team said the exploit was detected quickly and the attack vector was blocked.

According to the project's post‑mortem and on‑chain analyses, the attacker chained together weaknesses in the arbitrary‑call logic and GatewayEVM’s acceptance of broad commands (including transferFrom), executing nine transactions across Ethereum, Arbitrum, Base and BSC. Investigators found preparatory activity—funding via Tornado Cash and address poisoning—indicating the exploit was deliberate and planned. Reports also note that prior bug‑bounty submissions had flagged similar behavior but were dismissed by the team as intended.

ZetaChain halted cross‑chain transfers to contain the incident, deployed a patch to close the exploited call path, and recommended users revoke legacy ERC‑20 allowances. Security firms and on‑chain trackers urged immediate revocation of approvals for the Gateway contract across affected EVM chains to reduce contagion risk. The project committed to a fuller technical report after additional review.

The episode amplifies systemic concerns about interoperability layers and bridge designs that allow broad arbitrary calls; April 2026 has seen multiple high‑profile bridge incidents, pressuring interoperability protocols' security assumptions. Market participants are repricing risk for cross‑chain infrastructure and related tokens as a result.

Analysts say near‑term priorities are a transparent post‑mortem, independent audits, and redesigned bug‑bounty triage to avoid dismissing critical reports. For investors, the immediate outlook centers on ZETA token volatility and the timeline for safely resuming cross‑chain operations; the project's remediation and communication will determine whether confidence can be restored.