TL;DR:
- ZetaChain identified three vulnerabilities in its cross-chain messaging system that allowed an attacker to drain $333,868.
- The losses, spread across nine transactions on four networks, only affected internal team wallets and not user funds.
- The exploit was premeditated: the attacker used Tornado Cash three days prior to conceal the origin of funds and executed an address poisoning attack.
The April 24 exploit against ZetaChain exposed three chained vulnerabilities in its cross-chain messaging system that allowed the attacker to extract $333,868 in assets from internal team wallets. The layer-1 network confirmed this in a post-mortem.
The attack vector involved the GatewayEVM contract, which acts as a unified entry point for interactions between external networks and ZetaChain applications. According to the report, the system allowed any user to request “arbitrary calls” with minimal restrictions, while the receiving contract accepted commands such as “transferFrom” without sufficient validation.
Adding to this, users who had deposited tokens via “GatewayEVM.deposit()” never revoked the unlimited spending approvals they had granted. The attacker combined these three conditions to drain funds across nine transactions distributed over Ethereum, Arbitrum, Base and BSC, with losses composed primarily of USDC and USDT.
An Attack Planned Weeks in Advance
The ZetaChain team was categorical in ruling out an opportunistic attack. According to the post-mortem, the attacker funded their wallet through Tornado Cash approximately three days before executing the exploit, with the explicit goal of masking the origin of the funds. Additionally, they launched a brute-force attack to generate a vanity address that mimicked one of the victims’, an address poisoning technique designed to obfuscate malicious on-chain activity. Once the exploit was complete, the attacker quickly converted the stolen USDC and USDT into ETH.
ZetaChain Deploys an Emergency Patch
ZetaChain deployed a patch on mainnet to eliminate the vulnerability. The cross-chain transaction functionality, suspended immediately after the incident, remains inactive until additional updates and reviews are completed. The team recommended that all users who have interacted with the gateway contracts revoke the pending ERC-20 permissions granted to those addresses.
