News linked to both this project and an event.
According to an official disclosure by ZetaChain, on April 27, ZetaChain suffered a targeted vulnerability exploit. The attacker first acquired funds via Tornado Cash and performed wallet address spoofing, then exploited a vulnerability in GatewayEVM’s arbitrary call functionality, resulting in approximately $334,000 in losses across four connected chains. ZetaChain stated that this attack did not affect cross-chain $ZETA transfers; all affected wallets were under ZetaChain’s internal control, and user funds remained unaffected. A patch for the mainnet has now been deployed, and cross-chain transactions will resume after ongoing monitoring.
SlowMist stated ZetaChain has been exploited. Preliminary analysis indicates the root cause of the vulnerability lies in the lack of access control and input validation in the call function of the GatewayZEVM contract. This allowed attackers to initiate malicious cross-chain calls and, via the relayer mechanism, execute arbitrary operations on the target chain to transfer funds.SlowMist noted that the attacker forged cross-chain events to trigger the relayer into executing malicious calls, thereby stealing funds. The relevant attack transactions have been disclosed.
According to an official announcement, ZetaChain stated that its GatewayEVM contract was attacked today, with the impact limited solely to internal wallets controlled by the ZetaChain team. The official statement confirmed that the attack vector has been blocked and no further funds are currently at risk. As a precautionary measure, ZetaChain has suspended cross-chain transactions. Meanwhile, the investigation remains ongoing; according to the official statement, no user funds have been affected by this incident, and a detailed post-mortem report will be released upon completion of the investigation.