{"id":96603,"date":"2026-04-29T14:21:05","date_gmt":"2026-04-29T11:21:05","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=96603"},"modified":"2026-04-29T14:25:27","modified_gmt":"2026-04-29T11:25:27","slug":"zetachain-discloses-details-of-334000-cross-chain-attack","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/zetachain-discloses-details-of-334000-cross-chain-attack\/","title":{"rendered":"ZetaChain Discloses Details of $334,000 Cross-Chain Attack"},"content":{"rendered":"<p>The L1 network ZetaChain has released a <span data-descr=\"incident analysis result after resolving the issue\" class=\"old_tooltip\">post-mortem<\/span> of the hacking attack that occurred on <a href=\"https:\/\/forklog.com\/en\/news\/zetachain-halts-cross-chain-operations-following-smart-contract-breach\">April 27<\/a>. The team stated that the breach was due to a vulnerability in the <a href=\"https:\/\/forklog.com\/en\/news\/what-are-cross-chain-bridges\">cross-chain<\/a> messaging mechanism.\u00a0<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">On Apr 27, ZetaChain experienced a targeted exploit involving deliberate preparation, including Tornado Cash funding and wallet address spoofing. <\/p>\n<p>Cross-chain ZETA transfers were not affected.<\/p>\n<p>No user funds were affected \u2014 all impacted wallets were ZetaChain-controlled.<\/p>\n<p>A\u2026<\/p>\n<p>\u2014 ZetaChain \ud83d\udfe9 (@ZetaChain) <a href=\"https:\/\/twitter.com\/ZetaChain\/status\/2049312093334130829?ref_src=twsrc%5Etfw\">April 29, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The GatewayEVM contract was targeted, serving as a single point of failure in interactions between external networks and applications within the ecosystem.\u00a0<\/p>\n<p>Users were not affected: the exploit impacted only three internal developer wallets. The total damage amounted to $333,868 (mainly in <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-usdc-stablecoin\">USDC<\/a> and <a href=\"https:\/\/forklog.com\/en\/news\/what-is-tether-usdt\">USDT<\/a>). The attacker withdrew funds through nine transactions in Ethereum, <a href=\"https:\/\/forklog.com\/en\/news\/what-is-arbitrum\">Arbitrum<\/a>, <a href=\"https:\/\/forklog.com\/en\/news\/what-is-base-coinbases-l2\">Base<\/a>, and BSC.\u00a0<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-40c70a9bee704bb0-3062889495093668.webp\" alt=\"image\" class=\"wp-image-279219\"\/><figcaption class=\"wp-element-caption\">Stolen assets. Source: <a href=\"https:\/\/zetachain.notion.site\/post-mortem-4-26-2026\">ZetaChain<\/a>.\u00a0<\/figcaption><\/figure>\n<p>ZetaChain explained the breach as a combination of three factors:<\/p>\n<ul class=\"wp-block-list\">\n<li>the network&#8217;s architecture allowed any user to make arbitrary calls with minimal restrictions;<\/li>\n<li>GatewayEVM on the receiving side processed a wide range of commands, including transferFrom \u2014 allowing asset transfers on behalf of another address with approval;<\/li>\n<li>old unlimited permissions were not automatically revoked: users who had previously deposited tokens via GatewayEVM.deposit() granted the contract unlimited rights to withdraw funds.\u00a0<\/li>\n<\/ul>\n<p>Developers believe the hacker prepared the attack in advance: he funded the wallet through the crypto mixer <a href=\"https:\/\/forklog.com\/en\/news\/what-is-the-tornado-cash-mixer-and-why-was-it-sanctioned\">Tornado Cash<\/a> three days before the incident. The attacker used the <a href=\"https:\/\/forklog.com\/en\/news\/cz-proposes-measures-to-combat-address-poisoning\">&#8220;address poisoning&#8221; method<\/a>. After the theft, he converted the assets to ETH.\u00a0<\/p>\n<p>The ZetaChain team released a patch on the mainnet and fixed the vulnerability. Users were advised to revoke all old <a href=\"https:\/\/forklog.com\/en\/news\/what-are-erc-20-tokens\">ERC-20<\/a> permissions.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Syndicate and Aftermath Breach<\/h2>\n<p>On April 28, the Ethereum infrastructure project Syndicate was breached. The team recorded &#8220;unusual movements&#8221; of native SYND tokens \u2014 presumably due to the compromise of the Commons cross-chain bridge.\u00a0<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We are investigating unusual movements in SYND tokens that may indicate a possible security issue.<\/p>\n<p>We recommend avoiding provisioning any liquidity until this is resolved.<\/p>\n<p>\u2014 Syndicate (@syndicateio) <a href=\"https:\/\/twitter.com\/syndicateio\/status\/2049331932702593315?ref_src=twsrc%5Etfw\">April 29, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>&#8220;We are monitoring the attack and engaging with cybersecurity firms. We are also considering options for compensating losses. Syndicate has sufficient tokens to assist affected users,&#8221; the developers wrote.\u00a0<\/em><\/p>\n<\/blockquote>\n<p>The attack was confirmed by CertiK specialists, who estimated the damage at $330,000.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/CertiKInsight?src=hash&#038;ref_src=twsrc%5Etfw\">#CertiKInsight<\/a> \ud83d\udea8<\/p>\n<p>We have seen an exploit involving <a href=\"https:\/\/twitter.com\/syndicateio?ref_src=twsrc%5Etfw\">@syndicateio<\/a> through a compromise of the Commons bridge.<\/p>\n<p>This address acquired ~18.5M SYND and sold them for ~$330 K, which has been bridged to Ethereum.<a href=\"https:\/\/t.co\/2KictJaGPV\">https:\/\/t.co\/2KictJaGPV<\/a><\/p>\n<p>Stay Vigilant!<a href=\"https:\/\/t.co\/kmbcBFl3AM\">https:\/\/t.co\/kmbcBFl3AM<\/a> <a href=\"https:\/\/t.co\/EvfZFz2R6x\">pic.twitter.com\/EvfZFz2R6x<\/a><\/p>\n<p>\u2014 CertiK Alert (@CertiKAlert) <a href=\"https:\/\/twitter.com\/CertiKAlert\/status\/2049378233410613647?ref_src=twsrc%5Etfw\">April 29, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The attacker acquired approximately 18.5 million SYND, sold them, and transferred the assets to Ethereum.\u00a0<\/p>\n<p>Following the incident, the coin&#8217;s price fell by more than 36% \u2014 to $0.02, according to <a href=\"https:\/\/www.coingecko.com\/en\/coins\/syndicate\">CoinGecko<\/a>.\u00a0<\/p>\n<p>Meanwhile, CertiK reported a breach of the Aftermath Finance exchange in the <a href=\"https:\/\/forklog.com\/en\/news\/sui-an-ambitious-blockchain-and-cryptocurrency-from-meta-alumni\">Sui<\/a> ecosystem. According to experts, the cybercriminal withdrew about $900,000 in USDC.\u00a0<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/CertiKInsight?src=hash&#038;ref_src=twsrc%5Etfw\">#CertiKInsight<\/a> \ud83d\udea8 <\/p>\n<p>We have seen an exploit involving <a href=\"https:\/\/twitter.com\/AftermathFi?ref_src=twsrc%5Etfw\">@AftermathFi<\/a>. <\/p>\n<p>~$900K USDC drained so far <a href=\"https:\/\/t.co\/kC1BEonomP\">https:\/\/t.co\/kC1BEonomP<\/a><\/p>\n<p>Still under investigation.<\/p>\n<p>Stay vigilant!<\/p>\n<p>\u2014 CertiK Alert (@CertiKAlert) <a href=\"https:\/\/twitter.com\/CertiKAlert\/status\/2049428250359648528?ref_src=twsrc%5Etfw\">April 29, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The project team <a href=\"https:\/\/x.com\/AftermathFi\/status\/2049442291371434187\">stated<\/a> that all trading platform products remain secure. According to the developers, the perpetual futures protocol was targeted.\u00a0<\/p>\n<p>Back in late April, hackers <a href=\"https:\/\/forklog.com\/en\/news\/hackers-breach-defi-protocol-scallop\">attacked<\/a> the DeFi project Scallop and withdrew about 150,000 SUI from the sSUI reward pool.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The L1 network ZetaChain released a post-mortem of the April 27 hacking attack. The team stated the breach was due to a vulnerability in the cross-chain messaging mechanism.<\/p>\n","protected":false},"author":1,"featured_media":96604,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"ZetaChain released a post-mortem of the April 27 hacking attack.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,1310],"class_list":["post-96603","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-zetachain"],"aioseo_notices":[],"amp_enabled":true,"views":"3","promo_type":"1","layout_type":"1","short_excerpt":"ZetaChain released a post-mortem of the April 27 hacking attack.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96603","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=96603"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96603\/revisions"}],"predecessor-version":[{"id":96605,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/96603\/revisions\/96605"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/96604"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=96603"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=96603"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=96603"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}