
ZetaChain suffered a targeted exploit on April 26, 2026, where attackers drained about $333,868 from three protocol-controlled wallets across four blockchains using a flaw in the GatewayEVM contract's arbitrary call function. The attacker bypassed sender verification by brute-forcing a vanity address and exploited pre-approved token allowances to transfer funds. No external user funds were affected, and ZetaChain paused cross-chain transactions, patched the vulnerability, and advised users to revoke token allowances. The incident highlights the importance of robust contract design and thorough bug bounty triage processes.