---

On April 26 and 27, 2026, an unknown attacker exploited three compounding vulnerabilities in ZetaChain's GatewayEVM and GatewayZEVM contracts, the core entry points for the protocol's cross-chain messaging system. The attack drained approximately $333,625 in stablecoins from three internal team wallets spread across Ethereum, BNB Smart Chain, Base, and Arbitrum. ZetaChain paused cross-chain activity as a precaution, though its mainnet remained fully operational throughout. A post-mortem was published on April 29.

The attacker's address (0x00467f5921f1a343b96b9bf71ae7e9054ae72ea4) consolidated approximately 139 ETH (worth roughly $319,000 after fees and slippage) into a separate profits wallet (0x67107480FF880A876b7aA0C6CDC3ad92dC4a998a) across nine transactions over about ten hours.

How the Attack Worked

The exploit required three separate weaknesses to exist at the same time. Security firm SolidityScan noted in its technical breakdown that removing any single one of them would have stopped the attack entirely.

The first flaw was a missing access control on GatewayZEVM.call(), the function on ZetaChain's own network that initiates cross-chain messages. The function carried no permission check, meaning any external wallet could call it by paying a small gas fee in ZRC-20 tokens (ZetaChain's cross-chain token standard for representing assets across chains). The attacker used this to inject a crafted payload flagged as an "arbitrary call" into the cross-chain relay system.

The second flaw sat on the destination side. The execute() function in the GatewayEVM contract, deployed on Ethereum and other EVM chains, had a blocking list covering only two specific function types. It left the standard ERC-20 transferFrom selector wide open, allowing the attacker's payload to execute a direct token transfer from victim addresses.

The third flaw was the enabling condition: ZetaChain's own team wallets held active, open-ended ERC-20 spending approvals granted to the GatewayEVM contract. Without those pre-existing approvals, the transferFrom call would have failed immediately. Security firm SolidityScan described the combined effect plainly, writing that the bug "converts an 'arbitrary external call from the TSS' primitive into a free ERC20 drain against precisely those addresses that had previously approved the gateway."

ZetaChain's threshold signature scheme validators, who co-sign cross-chain transactions collectively without any single party holding a full private key, co-signed the resulting transaction on the destination chains, unaware the payload was malicious.

Team Wallets Only, but the Signal Is Broader

ZetaChain confirmed the scope quickly. "There was an attack against the ZetaChain GatewayEVM contract today that impacted the internal ZetaChain team wallets only," the team said in an official statement. "We've already blocked the attack vector so no more funds can be compromised."

That distinction matters. The losses here are not comparable to the Ronin ($625 million, 2022) or Wormhole ($320 million, 2022) bridge hacks that emptied user liquidity pools. Retail holders of ZETA and users of ZetaChain-based applications did not lose funds. Still, ZETA fell 5.7% in the 24 hours following the exploit, trading around $0.056 against a market capitalization of roughly $73 to $78 million.

SlowMist Security summarized the root cause more broadly: "The core vulnerability lies in the call function, which lacks both access control and input validation."

What Developers in Emerging Markets Should Do Now

ZetaChain has a documented community presence across India, Africa (including Nigeria), Turkey, South America, and the Philippines, regions where developers frequently build multi-chain applications spanning Ethereum, BSC, and Polygon because users there navigate differing gas costs and token availability across chains. Those builders now face a practical task.

Security firm Blockaid has urged any developer or protocol that has granted approval to a GatewayEVM contract on Ethereum, Arbitrum, Base, or BNB Smart Chain to revoke those approvals immediately. The exploit is a concrete demonstration that residual token approvals are not an administrative detail; they are a direct attack surface.

For Africa's DeFi sector in particular, which is at a pivotal adoption stage and frequently relies on cross-chain infrastructure to bridge liquidity across fragmented networks, incidents like this do not drain user funds directly but do slow the trust-building process that underpins institutional and retail adoption.

Wider Context

The ZetaChain incident is one of at least 12 documented DeFi security failures in April 2026 alone, a month that has seen more than $600 million in total losses, representing a 68% year-over-year increase in attack frequency. The largest single incident was the KelpDAO exploit on April 18, in which approximately $292 million was drained from a LayerZero bridge by North Korea's Lazarus Group. ZetaChain's losses account for approximately 0.056% of April's running total, but its three-flaw chain model is likely to become a reference case in cross-chain security writing and contract design risk analysis.

Cross-chain activity was paused as a precaution following the attack. The protocol serves roughly 4 million connected wallets and 290 integrated applications.