ZetaChain’s $334K Gateway Exploit: How a Chained Vulnerability Drained Team Wallets Across 4 Chains

TLDR: ZetaChain’s GatewayEVM arbitrary call flaw allowed attackers to drain $333,868 across four blockchains. All three wallets drained were ZetaChain-controlled; no external user funds were lost in the exploit. The attacker brute-forced a vanity address with 13 matching characters to execute an address poisoning attack. A bug bounty report flagging this vulnerability was previously dismissed as intended protocol behavior by ZetaChain. ZetaChain confirmed a targeted exploit on April 26, 2026, resulting in losses of approximately $333,868. The attack targeted the protocol’s GatewayEVM contract through a deliberate chain of design weaknesses. No external user funds were lost in the incident. All three affected wallets were under ZetaChain’s control. A patch has since been deployed, and cross-chain transactions remain paused pending full operator upgrades. How the Attacker Exploited the Gateway Contract The exploit centered on the arbitrary call functionality within ZetaChain’s GatewayEVM contract. An attacker used the isArbitraryCall flag to bypass normal sender verification in cross-chain messages. This caused ZetaClient software to zero out the sender address, routing calls through _executeArbitraryCall(). That function performed raw external calls with minimal restrictions. The function’s only protection was a deny-list blocking onCall and onRevert selectors. Critical ERC-20 functions like transferFrom and approve were left unblocked. The attacker set the destination as an ERC-20 token contract and passed transferFrom as the calldata. Since the gateway held pre-existing allowances from victim wallets, it executed the transfer successfully. Nine drain transactions occurred across four chains — Ethereum, Base, Arbitrum, and BSC. The largest single drain was $110,291 in USDC on Base. A comprehensive Dune Analytics scan confirmed no additional victims existed across all five connected EVM chains. ZetaChain addressed the incident directly on X, stating that “cross-ch...