The L1 network ZetaChain has released a post-mortem of the hacking attack that occurred on April 27. The team stated that the breach was due to a vulnerability in the cross-chain messaging mechanism.
On Apr 27, ZetaChain experienced a targeted exploit involving deliberate preparation, including Tornado Cash funding and wallet address spoofing.
Cross-chain ZETA transfers were not affected.
No user funds were affected — all impacted wallets were ZetaChain-controlled.
A…
— ZetaChain 🟩 (@ZetaChain) April 29, 2026
The GatewayEVM contract was targeted, serving as a single point of failure in interactions between external networks and applications within the ecosystem.
Users were not affected: the exploit impacted only three internal developer wallets. The total damage amounted to $333,868 (mainly in USDC and USDT). The attacker withdrew funds through nine transactions in Ethereum, Arbitrum, Base, and BSC.
ZetaChain explained the breach as a combination of three factors:
- the network’s architecture allowed any user to make arbitrary calls with minimal restrictions;
- GatewayEVM on the receiving side processed a wide range of commands, including transferFrom — allowing asset transfers on behalf of another address with approval;
- old unlimited permissions were not automatically revoked: users who had previously deposited tokens via GatewayEVM.deposit() granted the contract unlimited rights to withdraw funds.
Developers believe the hacker prepared the attack in advance: he funded the wallet through the crypto mixer Tornado Cash three days before the incident. The attacker used the “address poisoning” method. After the theft, he converted the assets to ETH.
The ZetaChain team released a patch on the mainnet and fixed the vulnerability. Users were advised to revoke all old ERC-20 permissions.
Syndicate and Aftermath Breach
On April 28, the Ethereum infrastructure project Syndicate was breached. The team recorded “unusual movements” of native SYND tokens — presumably due to the compromise of the Commons cross-chain bridge.
We are investigating unusual movements in SYND tokens that may indicate a possible security issue.
We recommend avoiding provisioning any liquidity until this is resolved.
— Syndicate (@syndicateio) April 29, 2026
“We are monitoring the attack and engaging with cybersecurity firms. We are also considering options for compensating losses. Syndicate has sufficient tokens to assist affected users,” the developers wrote.
The attack was confirmed by CertiK specialists, who estimated the damage at $330,000.
We have seen an exploit involving @syndicateio through a compromise of the Commons bridge.
This address acquired ~18.5M SYND and sold them for ~$330 K, which has been bridged to Ethereum.https://t.co/2KictJaGPV
Stay Vigilant!https://t.co/kmbcBFl3AM pic.twitter.com/EvfZFz2R6x
— CertiK Alert (@CertiKAlert) April 29, 2026
The attacker acquired approximately 18.5 million SYND, sold them, and transferred the assets to Ethereum.
Following the incident, the coin’s price fell by more than 36% — to $0.02, according to CoinGecko.
Meanwhile, CertiK reported a breach of the Aftermath Finance exchange in the Sui ecosystem. According to experts, the cybercriminal withdrew about $900,000 in USDC.
We have seen an exploit involving @AftermathFi.
~$900K USDC drained so far https://t.co/kC1BEonomP
Still under investigation.
Stay vigilant!
— CertiK Alert (@CertiKAlert) April 29, 2026
The project team stated that all trading platform products remain secure. According to the developers, the perpetual futures protocol was targeted.
Back in late April, hackers attacked the DeFi project Scallop and withdrew about 150,000 SUI from the sSUI reward pool.