{"id":71734,"date":"2026-04-28T07:02:42","date_gmt":"2026-04-28T07:02:42","guid":{"rendered":"https:\/\/crowdfundjunction.com\/blog\/zetachain-pauses-mainnet-after-gatewayzevm-contract-exploit-targets-protocol-wallets\/"},"modified":"2026-04-28T07:02:42","modified_gmt":"2026-04-28T07:02:42","slug":"zetachain-pauses-mainnet-after-gatewayzevm-contract-exploit-targets-protocol-wallets","status":"publish","type":"post","link":"https:\/\/crowdfundjunction.com\/blog\/zetachain-pauses-mainnet-after-gatewayzevm-contract-exploit-targets-protocol-wallets\/","title":{"rendered":"Zetachain Pauses Mainnet After GatewayZEVM Contract Exploit Targets Protocol Wallets"},"content":{"rendered":"<p><b>(Originally posted on : Bitcoin News )<\/b><br \/>\n<\/p>\n<div>\n<p><strong>Key Takeaways:<\/strong><\/p>\n<ul>\n<li><span style=\"font-weight:400\">Zetachain paused cross-chain transactions on Tuesday after an exploit targeting the GatewayZEVM contract\u2019s call function hit internal team wallets. <\/span><\/li>\n<li><span style=\"font-weight:400\">Slowmist identified the root cause as a missing access control and input validation in the call function, allowing any user to trigger malicious cross-chain calls without authorization. <\/span><\/li>\n<li><span style=\"font-weight:400\">The incident marks the second major cross-chain exploit in April 2026, following the KelpDAO hack that triggered the worst <span>DeFi<\/span> <span>liquidity<\/span> crunch since 2024.<\/span><\/li>\n<\/ul>\n<h2><span style=\"font-weight:400\">Slowmist\u2019s Preliminary Analysis<\/span><\/h2>\n<p><span style=\"font-weight:400\">The <\/span><a href=\"https:\/\/x.com\/SlowMist_Team\/status\/2048967080867954744\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight:400\">team pinpointed<\/span><\/a><span style=\"font-weight:400\"> the GatewayZEVM contract\u2019s call function as being the entry point. The function contained no access control and no input validation, a combination that allowed any external address, without authorization, to trigger malicious cross-chain calls and route them toward arbitrary targets. Wu <span>Blockchain<\/span> <\/span><a href=\"https:\/\/x.com\/WuBlockchain\/status\/2048977121192858054\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight:400\">independently confirmed the root cause<\/span><\/a><span style=\"font-weight:400\"> shortly after.<\/span><\/p>\n<figure id=\"attachment_810001\" aria-describedby=\"caption-attachment-810001\" style=\"width:750px\" class=\"wp-caption aligncenter\"><figcaption id=\"caption-attachment-810001\" class=\"wp-caption-text\">Image source: X<\/figcaption><\/figure>\n<p><span style=\"font-weight:400\">Zetachain said the exploit affected its own internal team wallets (estimated to be worth $300k), adding that user funds were not directly impacted. The protocol paused cross-chain transactions while its security team assessed the full scope of the breach. A post-mortem is expected once the investigation concludes.<\/span><\/p>\n<p><span style=\"font-weight:400\">Moreover, the incident arrives at a difficult moment for cross-chain infrastructure as earlier this month, the <\/span><a href=\"https:\/\/news.bitcoin.com\/cryptoquant-kelpdao-hack-contagion-triggers-worst-defi-liquidity-crunch-since-2024\/\"><span style=\"font-weight:400\">KelpDAO exploit<\/span><\/a><span style=\"font-weight:400\"> triggered a cascade of <span>liquidity<\/span> withdrawals across <span>decentralized finance<\/span> ( <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-defi-decentralized-finance\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">DeFi<\/a>) protocols, resulting in the worst crunch in <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-defi-decentralized-finance\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">DeFi<\/a> since 2024. The Arbitrum Security Council, however, took <\/span><a href=\"https:\/\/news.bitcoin.com\/arbitrum-security-council-freezes-kelpdao-exploiter-eth\/\"><span style=\"font-weight:400\">emergency action to freeze 30,766 ETH<\/span><\/a><span style=\"font-weight:400\"> linked to the KelpDAO exploiter.<\/span><\/p>\n<h2><span style=\"font-weight:400\">Access Control Was the Root Issue<\/span><\/h2>\n<p><span style=\"font-weight:400\">Slowmist\u2019s findings have once again highlighted a recurring pattern in <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-a-smart-contract\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">smart contract<\/a> exploits where missing or insufficient access controls are applied on functions that handle sensitive operations. In Zetachain\u2019s case, the call function in GatewayZEVM was deployable by any external address with no permission check, leaving the door open for arbitrary inputs to be processed as legitimate cross-chain instructions.<\/span><\/p>\n<p><span style=\"font-weight:400\">The absence of an input-validation breakstop compounded the risk because, without checks on what data the function receives, attackers can craft a malicious payload and direct it to unintended destinations across chains (bypassing any assumed trust boundaries within the contract logic).<\/span><\/p>\n<p><span style=\"font-weight:400\">Security researchers have consistently flagged insufficient access controls as one of the most common and preventable vulnerabilities in production <a href=\"http:\/\/www.bitcoin.com\/get-started\/what-is-a-smart-contract\/\" class=\"lar_link lar_link_outgoing\" target=\"_blank\" rel=\"noopener noreferrer\">smart contracts<\/a>. Whether Zetachain\u2019s GatewayZEVM contract had undergone a formal third-party security audit prior to deployment has not been confirmed.<\/span><\/p>\n<\/div>\n<p><a href=\"https:\/\/news.bitcoin.com\/zetachain-gatewayzevm-exploit-mainnet-paused\/\">Source link <\/a><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>(Originally posted on : Bitcoin News ) Key Takeaways: Zetachain paused cross-chain transactions on Tuesday after an exploit targeting the GatewayZEVM contract\u2019s call function hit internal team wallets. Slowmist identified the root cause as a missing access control and input validation in the call function, allowing any user to trigger malicious cross-chain calls without authorization. [&hellip;]<\/p>\n","protected":false},"author":3947362404,"featured_media":71735,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[32],"tags":[],"_links":{"self":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/71734"}],"collection":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/users\/3947362404"}],"replies":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/comments?post=71734"}],"version-history":[{"count":0,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/posts\/71734\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media\/71735"}],"wp:attachment":[{"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/media?parent=71734"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/categories?post=71734"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/crowdfundjunction.com\/blog\/wp-json\/wp\/v2\/tags?post=71734"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}