Zetachain Pauses Mainnet After GatewayZEVM Flaw Exposes $300K

Zetachain paused its mainnet and halted cross-chain transactions on April 28 after a vulnerability in the GatewayZEVM contract’s call function was exploited. The incident allowed an attacker to target internal team wallets worth roughly $300,000. The protocol confirmed that user funds were not directly affected.

Security firm Slowmist identified the root cause as a missing access control and a lack of input validation in the call function. Those gaps allowed any external address to invoke the function and submit arbitrary payloads that could be processed as legitimate cross-chain instructions. Independent researcher Wu Blockchain confirmed Slowmist’s findings hours after the exploit.

Zetachain’s security team stopped cross-chain activity while investigating the breach and is assessing the full scope of affected addresses. The protocol said it will publish a post-mortem once the investigation concludes. It has not confirmed whether the GatewayZEVM contract received a formal third-party security audit before deployment.

The incident follows another major cross-chain exploit earlier in April when a KelpDAO breach triggered broad liquidity withdrawals across decentralized finance protocols. In response to that earlier exploit, the Arbitrum Security Council froze 30,766 ETH linked to the exploiter.

Slowmist’s analysis pointed to a recurring class of vulnerabilities in smart contracts: functions that perform sensitive actions require explicit permission checks and validation of inputs so external data cannot be treated as trusted instructions. Researchers were able to pinpoint the entry point quickly, and Zetachain’s pause of cross-chain operations was implemented to prevent further unauthorized calls while work continues.