Key Takeaways:
Zetachain paused cross-chain transactions on Tuesday after an exploit targeting the GatewayZEVM contract’s call function hit internal team wallets. Slowmist identified the root cause as a missing access control and input validation in the call function, allowing any user to trigger malicious cross-chain calls without authorization. The incident marks the second major cross-chain exploit in April 2026, following the KelpDAO hack that triggered the worst DeFi liquidity crunch since 2024. Slowmist’s Preliminary AnalysisZetachain said the exploit affected its own internal team wallets (estimated to be worth $300k), adding that user funds were not directly impacted. The protocol paused cross-chain transactions while its security team assessed the full scope of the breach. A post-mortem is expected once the investigation concludes.
Access Control Was the Root IssueThe absence of an input-validation breakstop compounded the risk because, without checks on what data the function receives, attackers can craft a malicious payload and direct it to unintended destinations across chains (bypassing any assumed trust boundaries within the contract logic).
