Zetachain Pauses Mainnet After GatewayZEVM Contract Exploit Targets Protocol Wallets
Key Takeaways: Zetachain said the exploit affected its own internal team wallets (estimated to be worth $300k), adding that user funds were not directly impacted. The protocol paused cross-chain transactions while its security team assessed the full scope of the breach. A post-mortem is expected once the investigation concludes. Moreover, the incident arrives at a difficult moment for cross-chain infrastructure as earlier this month, the KelpDAO exploit triggered a cascade of liquidity withdrawals across decentralized finance ( DeFi) protocols, resulting in the worst crunch in DeFi since 2024. The Arbitrum Security Council, however, took emergency action to freeze 30,766 ETH linked to the KelpDAO exploiter. Slowmist’s findings have once again highlighted a recurring pattern in smart contract exploits where missing or insufficient access controls are applied on functions that handle sensitive operations. In Zetachain’s case, the call function in GatewayZEVM was deployable by any external address with no permission check, leaving the door open for arbitrary inputs to be processed as legitimate cross-chain instructions. The absence of an input-validation breakstop compounded the risk because, without checks on what data the function receives, attackers can craft a malicious payload and direct it to unintended destinations across chains (bypassing any assumed trust boundaries within the contract logic). Security researchers have consistently flagged insufficient access controls as one of the most common and preventable vulnerabilities in production smart contracts. Whether Zetachain’s GatewayZEVM contract had undergone a formal third-party security audit prior to deployment has not been confirmed.Access Control Was the Root Issue
About Author
