•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
A security breach on ZetaChain led to the theft of approximately $334,000, according to the platform, through vulnerabilities in its cross-chain gateway infrastructure. The attack targeted internal team wallets using a multi-chain approach. ZetaChain responded by suspending services and implementing security patches.
In its official statement, ZetaChain said the breach centered on the GatewayEVM contract, which manages cross-chain message passing and token transfers. Malicious actors exploited design flaws to execute unauthorized withdrawals.
The theft occurred across four blockchain networks: Ethereum, Arbitrum, Base, and BSC. ZetaChain said attackers leveraged multiple security gaps in the messaging infrastructure, including a gateway system that allowed unrestricted function calls between connected blockchains. The architectural weakness enabled remote activation of critical contract functions without proper safeguards.
ZetaChain also reported that the recipient contract processed different command types, including direct token movement operations. It said insufficient validation mechanisms failed to block malicious instructions, allowing attackers to siphon funds from compromised addresses.
The exploit relied on pre-existing unlimited token approvals granted to the gateway smart contract. ZetaChain said these permissions were established during earlier deposit transactions and were not revoked. Attackers then used transferFrom functions to extract ERC-20 tokens from wallets with active allowances.
The platform stated that the incident affected only three wallets under team control. It said end-user deposits and holdings remained secure throughout the attack, while the breach underscored risks associated with permanent token permission grants.
ZetaChain added that security researchers had previously flagged the vulnerability through its bug bounty program, but the submission was dismissed as intended functionality rather than a critical flaw. The platform said this classification error contributed when combined with other weaknesses during the actual exploit.
After detecting unauthorized transactions, ZetaChain halted all cross-chain functionality. Engineers developed and deployed remediation code to remove the arbitrary call feature. Services remained suspended pending comprehensive security audits and system enhancements.
The updated architecture replaces blanket token approvals with transaction-specific permission models, which ZetaChain said reduces potential attack vectors going forward. The platform also urged users to revoke outstanding allowances associated with gateway infrastructure.
ZetaChain said the attackers prepared the operation in advance. It reported that initial funding came through Tornado Cash, and that address poisoning tactics were used to create confusion. The platform added that stolen assets were immediately converted to ETH, complicating tracking.
The incident was framed as part of wider concerns about smart contract security across decentralized finance ecosystems. ZetaChain said industry data points to an increasing frequency of exploits targeting architectural vulnerabilities in recent months, and it announced comprehensive reviews of both bug bounty procedures and overall security protocols.
Premium gym chains are entering a “golden era” that is ending or already in decline, as rising operating costs collide with shifting consumer preferences toward more flexible, community-based ways to exercise. Long-term memberships are shrinking, margins are pressured by higher rents and facility expenses, and competition from smaller, more personalized…
