ZetaChain’s $334K Gateway Exploit: How a Chained Vulnerability Drained Team Wallets Across 4 Chains

TLDR:

• ZetaChain’s GatewayEVM arbitrary call flaw allowed attackers to drain $333,868 across four blockchains.
• All three wallets drained were ZetaChain-controlled; no external user funds were lost in the exploit.
• The attacker brute-forced a vanity address with 13 matching characters to execute an address poisoning attack.
• A bug bounty report flagging this vulnerability was previously dismissed as intended protocol behavior by ZetaChain.

ZetaChain confirmed a targeted exploit on April 26, 2026, resulting in losses of approximately $333,868. The attack targeted the protocol’s GatewayEVM contract through a deliberate chain of design weaknesses.

No external user funds were lost in the incident. All three affected wallets were under ZetaChain’s control. A patch has since been deployed, and cross-chain transactions remain paused pending full operator upgrades.

How the Attacker Exploited the Gateway Contract

The exploit centered on the arbitrary call functionality within ZetaChain’s GatewayEVM contract. An attacker used the isArbitraryCall flag to bypass normal sender verification in cross-chain messages.

This caused ZetaClient software to zero out the sender address, routing calls through _executeArbitraryCall(). That function performed raw external calls with minimal restrictions.

The function’s only protection was a deny-list blocking onCall and onRevert selectors. Critical ERC-20 functions like transferFrom and approve were left unblocked.

The attacker set the destination as an ERC-20 token contract and passed transferFrom as the calldata. Since the gateway held pre-existing allowances from victim wallets, it executed the transfer successfully.

Nine drain transactions occurred across four chains — Ethereum, Base, Arbitrum, and BSC. The largest single drain was $110,291 in USDC on Base.

A comprehensive Dune Analytics scan confirmed no additional victims existed across all five connected EVM chains.

ZetaChain addressed the incident directly on X, stating that “cross-chain ZETA transfers were not affected” and that “no user funds were affected — all impacted wallets were ZetaChain-controlled.”

The Attacker’s Preparation Was Methodical and Deliberate

This was not an opportunistic attack. The hacker funded the primary wallet through Tornado Cash approximately three days before executing the exploit. That deliberate step obscured the origin of funds ahead of the operation.

The attacker also brute-forced a vanity wallet address that closely resembled a victim’s real address. The fake address shared 13 matching hexadecimal characters with the real one — four at the prefix and nine at the suffix.

Generating this required an estimated 4.5 quadrillion trial keys, costing between $300 and $2,500 in GPU compute.

That fake address was used to send dust transactions to the victim, planting a lookalike in their transaction history.

This technique exploits how wallet interfaces truncate addresses for display. A purpose-built drainer contract was also deployed on ZetaChain to orchestrate the cross-chain calls.

Every single drain succeeded with zero destination failures. The post-mortem noted this pattern, suggesting “the hacker had carefully pre-validated each target’s allowance state and token balances before executing.”

ZetaChain’s Response and User Recommendations

ZetaChain paused all cross-chain transactions within eight minutes of detecting the attack. The team removed infinite allowance approvals from the ZetaHub deposit flow the same day. New deposits now approve only exact amounts required per transaction.

A zetaclient patch was developed, tested on Testnet, and is now rolling out to mainnet operator nodes. The patch permanently disables the arbitrary call code path that made this exploit possible. Validator node operators do not need to take action — only observer nodes require the upgrade.

All identified exploiter addresses were flagged through the SEAL 911 emergency response network. A report was also filed with law enforcement through IC3.gov. Stolen funds on Ethereum were swapped to approximately 139 ETH and moved to a consolidation wallet.

ZetaChain is also reviewing its bug bounty triage process. The post-mortem acknowledged that the vulnerability had been flagged earlier, noting that “initial reports were dismissed as the arbitrary call behavior was considered by-design.”

The protocol added that the incident has since prompted a review of triage procedures for chained attack vectors. Users with prior gateway interactions are advised to revoke ERC-20 allowances using tools like Revoke.cash.

The post ZetaChain’s $334K Gateway Exploit: How a Chained Vulnerability Drained Team Wallets Across 4 Chains appeared first on Blockonomi.