ZetaChain Halts Cross-Chain Transfers After Bridge Exploit

ZetaChain stopped all cross-chain transfers after a flaw in its GatewayZEVM bridge contract let an attacker trigger unauthorized transactions that drained funds from team-controlled wallets. The project paused cross-chain activity for more than 15 hours while engineers contained the exposure and restricted activity to internal transfers on ZetaChain.

ZetaChain disclosed the GatewayZEVM contract lacked sufficient access controls and validation. The vulnerability allowed a malicious call to be submitted and accepted by the relayer as a valid cross-chain request. That acceptance triggered an outgoing payment on the destination chain, sending real funds on Ethereum to the attacker.

On-chain analysis shows the loss was limited to USDC held on an Ethereum address and totaled under $10,000. Those funds have not been frozen or tagged on-chain. ZetaChain reported that only project-controlled wallets were exposed and stated it had “cut the losses.” The project said user wallets were not affected.

Network operators halted cross-chain transfers for over 15 hours to prevent further outflows. During the pause, relayer software no longer processed cross-chain requests and only transfers internal to ZetaChain remained possible while engineers investigated and contained the issue.

ZetaChain is a public layer-1 chain built for permissionless cross-chain transfers. It is compatible with the Cosmos ecosystem and the OmniChain project and relies on dedicated smart contracts, like GatewayZEVM, to move assets between ZetaChain and external networks.

Data from April show a surge in smart-contract exploits, with hundreds of millions of dollars lost across Web3 during the month. Security researchers note attackers frequently target bridge and cross-chain components when validation and access controls are weak.

Since a market downturn in October 2025, ZetaChain’s on-chain footprint has been small. Its DeFi smart contracts hold under $1 million, daily activity is limited to a handful of users, and reported daily fees are around $8. The native ZETA token was not involved in the exploit and traded near $0.054 after the incident; the token has declined more than 96% since launch.

ZetaChain has not published a detailed post-mortem while the pause remains in effect. The specific fixes planned for the GatewayZEVM contract have not been disclosed. Industry participants continue to monitor bridge code and relayer behavior as cross-chain activity grows and as attackers focus on interoperability components.