# ZetaChain Halts Cross-Chain Operations After $300K GatewayEVM Exploit – No User Funds Lost
ZetaChain, the cross-chain interoperability protocol that connects Bitcoin, Ethereum, and Solana without bridges, suffered a targeted smart contract exploit on April 27, 2026. The attack hit the protocol’s GatewayEVM contract – the main entry point for all cross-chain operations – and resulted in approximately $300,000 in losses drawn entirely from internal team wallets.
The project moved quickly, halting all cross-chain transactions within hours of detecting the breach and patching the attack vector before any user funds were compromised. As of April 28, ZetaChain confirmed that the exploit vector is closed, though full service restoration remains pending a security audit.
What Happened
The GatewayEVM contract serves as ZetaChain’s primary interface between the protocol’s native chain and EVM-compatible networks. An attacker identified a vulnerability in the contract that allowed them to siphon funds from addresses controlled by the ZetaChain team – specifically wallets used for operational and development purposes.
Security firm Blockaid, which flagged the attack in real time, confirmed the exploit was contained to internal wallets. The ZETA token supply wasn’t affected, and no user deposit addresses or liquidity pools were drained.
“There was an attack against the ZetaChain GatewayEVM contract today that impacted the internal ZetaChain team wallets only,” the project confirmed on its official channels. “We’ve already blocked the attack vector so no more funds can be compromised.”
The $300,000 loss figure, while modest compared to the nine-figure DeFi exploits that have become distressingly common, carries significance because of where it hit: the protocol’s own treasury infrastructure rather than user-facing contracts.
April Becomes Crypto’s Worst Hack Month in Over a Year
The ZetaChain attack didn’t happen in isolation. April 2026 has become the worst month for crypto security in more than a year, with total losses blowing through $600 million across multiple incidents. The month’s largest hack – the KelpDAO exploit – drained over $13 billion in TVL and triggered a recovery fund that Aave backstopped with $160 million in financing.
The cumulative scale of April’s breaches has renewed pressure on the broader DeFi system to address smart contract security at the infrastructure level rather than relying on post-hoc recovery mechanisms.
Cross-chain protocols have been disproportionately targeted. Bridges and interoperability layers represent concentrated attack surfaces because they necessarily hold large pools of locked assets across multiple chains simultaneously. ZetaChain’s “universal” approach – connecting chains at the protocol level rather than wrapping assets in bridges – was designed partly to reduce this risk, but the GatewayEVM attack shows that any contract handling cross-chain logic is a high-value target.
ZetaChain’s Architecture and the Security Tradeoff
ZetaChain positions itself as a Layer-1 that achieves interoperability without wrapping assets or requiring external validators – a meaningful architectural difference from traditional bridges like Wormhole or LayerZero. Instead of lock-and-mint mechanics, ZetaChain uses observers and validators on its own chain to authenticate cross-chain messages natively.
The GatewayEVM is the EVM-side implementation of this architecture. It’s a relatively new component, and the exploit suggests that the contract hadn’t been sufficiently hardened against edge-case attack vectors before deployment.
ZetaChain hasn’t disclosed the specific vulnerability that was exploited, citing the ongoing security review. A full post-mortem is expected following the audit completion. The protocol has committed to publishing a detailed breakdown of the attack vector, affected contracts, and remediation steps – a standard that DeFi protocols have increasingly adopted in the wake of major exploits.
What Users and Integrators Should Know
For users with funds on ZetaChain, the picture is clear: no user assets were at risk during this exploit. The team’s quick containment response prevented the attack from spreading to user-facing contracts.
For developers building on ZetaChain or integrators relying on its cross-chain functionality, the service outage is a real disruption. Applications that route cross-chain transactions through GatewayEVM are offline until the audit clears and the protocol resumes operations. No timeline for full service restoration has been confirmed.
Cross-chain operations via ZetaChain’s Bitcoin and Solana connectors are also suspended during the pause, as these ultimately route through the same validator infrastructure.
The Broader Security Reckoning
The ZetaChain incident adds to mounting evidence that smart contract security audits – while necessary – aren’t sufficient. The GatewayEVM contract had almost certainly been reviewed before deployment. Yet an attack still found a vector.
The industry is increasingly moving toward formal verification tools, bug bounty programs with meaningful payouts, and protocol-level circuit breakers that can automatically pause operations when anomalous activity is detected. ZetaChain’s manual halt was effective, but automated detection would have reduced response time and potentially limited losses further.
As April 2026’s hack tally climbs toward what may be a monthly record, the cost of inadequate smart contract security is becoming impossible to rationalize against audit expenses.
FAQ
Was user money stolen in the ZetaChain hack?
No. The ZetaChain exploit targeted only internal team wallets. User funds, the ZETA token supply, and liquidity pools weren’t affected by the GatewayEVM attack.
How much was stolen from ZetaChain?
Approximately $300,000 was drained from ZetaChain team-controlled wallets during the GatewayEVM exploit on April 27, 2026.
When will ZetaChain cross-chain operations resume?
ZetaChain hasn’t confirmed a restoration timeline. Full service will resume following a security audit of the GatewayEVM contract and related infrastructure. The exploit vector has been patched.
Sources: ZetaChain official statement (April 27, 2026), CryptoTimes, BanklessTimes, Blockaid, Cryptowisser
