ZetaChain Patches Gateway Flaw After $334,000 Drain From Team Wallets

Overview

• ZetaChain said the GatewayEVM exploit on Sunday drained about $333,868 across Ethereum, Base, Arbitrum and BSC from three team-controlled wallets, with no external user funds affected.
• The attacker used an arbitrary-call route that bypassed sender checks and let the gateway call token contracts, where a narrow blocklist missed transferFrom so old unlimited approvals enabled token pulls.
• The operation was staged with Tornado Cash funding days earlier, a vanity lookalike address used for poisoning wallet histories, and a custom drainer, with nine successful drains including a $110,291 USDC hit on Base.
• ZetaChain paused cross-chain activity within eight minutes of detection, began rolling out a client update that disables the arbitrary-call path, and replaced infinite token approvals with exact-amount approvals.
• The post-mortem admitted a prior bug-bounty report on the core issue was dismissed as by-design, and the team is reviewing triage while flagging exploiter addresses via SEAL 911, reporting to IC3, and noting on-chain checks found no other victims.