• Zetachain paused cross-chain transactions on Tuesday after an exploit targeting the GatewayZEVM contract’s call function hit internal team wallets.
• Slowmist identified the root cause as a missing access control and input validation in the call function, allowing any user to trigger malicious cross-chain calls without authorization.
• The incident marks the second major cross-chain exploit in April 2026, following the KelpDAO hack that triggered the worst DeFi liquidity crunch since 2024.

The team pinpointed the GatewayZEVM contract’s call function as being the entry point. The function contained no access control and no input validation, a combination that allowed any external address, without authorization, to trigger malicious cross-chain calls and route them toward arbitrary targets. Wu Blockchain independently confirmed the root cause shortly after.

Image source: X

Zetachain said the exploit affected its own internal team wallets (estimated to be worth $300k), adding that user funds were not directly impacted. The protocol paused cross-chain transactions while its security team assessed the full scope of the breach. A post-mortem is expected once the investigation concludes.

Moreover, the incident arrives at a difficult moment for cross-chain infrastructure as earlier this month, the KelpDAO exploit triggered a cascade of liquidity withdrawals across decentralized finance ( DeFi) protocols, resulting in the worst crunch in DeFi since 2024. The Arbitrum Security Council, however, took emergency action to freeze 30,766 ETH linked to the KelpDAO exploiter.

Slowmist’s findings have once again highlighted a recurring pattern in smart contract exploits where missing or insufficient access controls are applied on functions that handle sensitive operations. In Zetachain’s case, the call function in GatewayZEVM was deployable by any external address with no permission check, leaving the door open for arbitrary inputs to be processed as legitimate cross-chain instructions.

The absence of an input-validation breakstop compounded the risk because, without checks on what data the function receives, attackers can craft a malicious payload and direct it to unintended destinations across chains (bypassing any assumed trust boundaries within the contract logic).

Security researchers have consistently flagged insufficient access controls as one of the most common and preventable vulnerabilities in production smart contracts. Whether Zetachain’s GatewayZEVM contract had undergone a formal third-party security audit prior to deployment has not been confirmed.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。