Key Takeaways:
Zetachain paused cross-chain transactions on Tuesday after an exploit concentrating on the GatewayZEVM contract’s name perform hit inside group wallets. Slowmist recognized the basis trigger as a lacking entry management and enter validation within the name perform, permitting any person to set off malicious cross-chain calls with out authorization. The incident marks the second main cross-chain exploit in April 2026, following the KelpDAO hack that triggered the worst DeFi liquidity crunch since 2024.
Slowmist’s Preliminary Evaluation
The group pinpointed the GatewayZEVM contract’s name perform as being the entry level. The perform contained no entry management and no enter validation, a mix that allowed any exterior tackle, with out authorization, to set off malicious cross-chain calls and route them towards arbitrary targets. Wu Blockchain independently confirmed the basis trigger shortly after.
Zetachain stated the exploit affected its personal inside group wallets (estimated to be value $300k), including that person funds weren’t instantly impacted. The protocol paused cross-chain transactions whereas its safety group assessed the complete scope of the breach. A autopsy is predicted as soon as the investigation concludes.
Furthermore, the incident arrives at a tough second for cross-chain infrastructure as earlier this month, the KelpDAO exploit triggered a cascade of liquidity withdrawals throughout decentralized finance ( DeFi) protocols, ensuing within the worst crunch in DeFi since 2024. The Arbitrum Safety Council, nevertheless, took emergency motion to freeze 30,766 ETH linked to the KelpDAO exploiter.
Entry Management Was the Root Concern
Slowmist’s findings have as soon as once more highlighted a recurring sample in sensible contract exploits the place lacking or inadequate entry controls are utilized on capabilities that deal with delicate operations. In Zetachain’s case, the decision perform in GatewayZEVM was deployable by any exterior tackle with no permission test, leaving the door open for arbitrary inputs to be processed as reliable cross-chain directions.
The absence of an input-validation breakstop compounded the danger as a result of, with out checks on what information the perform receives, attackers can craft a malicious payload and direct it to unintended locations throughout chains (bypassing any assumed belief boundaries inside the contract logic).
Safety researchers have constantly flagged inadequate entry controls as one of the crucial widespread and preventable vulnerabilities in manufacturing sensible contracts. Whether or not Zetachain’s GatewayZEVM contract had undergone a proper third-party safety audit previous to deployment has not been confirmed.
