ZetaChain Publishes Post-Mortem of $334K Cross-Chain Exploit; Syndicate and Aftermath Also Hacked
ZetaChain detailed a $333,868 exploit targeting its GatewayEVM contract on April 27. Meanwhile, Syndicate lost $330K through a bridge compromise, and Aftermath Finance on Sui was drained of $900K.
ZetaChain's GatewayEVM Contract Exploited for $333,868
Layer 1 blockchain ZetaChain has released a detailed post-mortem following a targeted exploit on April 27. The attacker leveraged a vulnerability in the network's cross-chain messaging mechanism to steal $333,868, primarily in USDC and USDT.
"On Apr 27, ZetaChain experienced a targeted exploit involving deliberate preparation, including Tornado Cash funding and wallet address spoofing. Cross-chain ZETA transfers were not affected. No user funds were affected — all impacted wallets were ZetaChain-controlled." — ZetaChain (@ZetaChain), original post
The attack targeted the GatewayEVM contract — a critical component that serves as the single point of interaction between external blockchains and applications within ZetaChain's ecosystem. No user funds were compromised; the exploit only affected three internal wallets controlled by the development team.
Why This Matters
A cluster of cross-chain infrastructure attacks in late April exposes systemic vulnerabilities in bridge and gateway architectures. Three separate projects — ZetaChain, Syndicate, and Aftermath Finance — were exploited within days of each other, raising serious questions about the security of interoperability solutions. Combined losses from the three incidents exceeded $1.5 million.
Three Factors Behind the ZetaChain Exploit
ZetaChain identified three root causes that enabled the attack:
- Permissive architecture: The network allowed any user to execute arbitrary calls with minimal restrictions.
- Broad GatewayEVM capabilities: The receiving-side contract processed a wide range of commands, including transferFrom, which permitted moving assets on behalf of another address if approval had been granted.
- Stale unlimited approvals: Users who had previously deposited tokens via GatewayEVM.deposit() had granted the contract unlimited spending permissions, and these approvals were never automatically revoked.
According to the team, the attacker prepared well in advance — funding a wallet through the Tornado Cash mixer three days before the incident. The hacker employed an address poisoning technique and extracted funds through nine transactions across Ethereum, Arbitrum, Base, and BSC. After the theft, all stolen assets were converted to ETH.
ZetaChain has deployed a patch to mainnet resolving the vulnerability and recommends all users revoke any outstanding ERC-20 approvals for the GatewayEVM contract.
Syndicate Loses $330K via Commons Bridge Compromise
On April 28, Ethereum infrastructure project Syndicate detected unusual movements in its native SYND token, reportedly caused by a compromise of the Commons cross-chain bridge.
"We are investigating unusual movements in SYND tokens that may indicate a possible security issue. We recommend avoiding provisioning any liquidity until this is resolved." — Syndicate (@syndicateio), original post
The Syndicate team stated they are working with cybersecurity firms on the investigation and exploring options to compensate affected users. They indicated the project holds sufficient tokens to assist those impacted.
Blockchain security firm CertiK confirmed the exploit and estimated the damage at $330,000. The attacker acquired approximately 18.5 million SYND tokens, sold them, and bridged the proceeds to Ethereum.
"#CertiKInsight 🚨 We have seen an exploit involving @syndicateio through a compromise of the Commons bridge. This address acquired ~18.5M SYND and sold them for ~$330K, which has been bridged to Ethereum." — CertiK Alert (@CertiKAlert), original post
Following the incident, SYND's price plunged more than 36% to $0.02, according to CoinGecko data.
Aftermath Finance on Sui Drained of $900K
Separately, CertiK reported an exploit targeting Aftermath Finance, a trading platform in the Sui ecosystem. The attacker drained approximately $900,000 in USDC.
"#CertiKInsight 🚨 We have seen an exploit involving @AftermathFi. ~$900K USDC drained so far. Still under investigation." — CertiK Alert (@CertiKAlert), original post
Aftermath Finance's team clarified that all other products on the platform remain secure and that only the perpetual futures protocol was affected.
Earlier in late April, hackers also targeted DeFi protocol Scallop on the Sui network, stealing approximately 150,000 SUI from the sSUI rewards pool. The wave of incidents underscores escalating security risks across DeFi and cross-chain infrastructure.
Frequently Asked Questions
How much was stolen in the ZetaChain exploit?
The attacker stole $333,868 primarily in USDC and USDT through nine transactions across Ethereum, Arbitrum, Base, and BSC. Only three internal team-controlled wallets were affected — no user funds were lost.
What caused the ZetaChain GatewayEVM vulnerability?
Three factors combined: the architecture allowed arbitrary calls with minimal restrictions, GatewayEVM could process transferFrom commands enabling asset transfers on behalf of other addresses, and old unlimited ERC-20 approvals were never automatically revoked.
How was Syndicate hacked?
The Commons cross-chain bridge was compromised, allowing an attacker to acquire approximately 18.5 million SYND tokens and sell them for roughly $330,000. The proceeds were bridged to Ethereum, and SYND price dropped over 36% to $0.02.
What happened to Aftermath Finance on Sui?
Approximately $900,000 in USDC was drained from Aftermath Finance's perpetual futures protocol. CertiK confirmed the exploit, while the team stated all other products on the platform remained secure.
Should I revoke ERC-20 approvals after the ZetaChain exploit?
Yes. ZetaChain explicitly recommended that all users revoke any outstanding ERC-20 approvals granted to the GatewayEVM contract. The vulnerability was patched on mainnet, but old unlimited approvals could still pose a risk.
Read also
Drift Protocol Hack Victims File Class Action Lawsuit Against Circle Over $230M in USDC
Over 100 victims of the Drift Protocol exploit have filed a class action lawsuit against Circle in Massachusetts court, accusing the USDC issuer of negligence and enabling hackers.
AI Audit Uncovers Critical Liveness Bug in Ethereum's Nethermind Client
Octane Security's AI discovered a high-severity vulnerability in the Nethermind execution client that could have halted block production for 38% of Ethereum mainnet validators. The Ethereum Foundation awarded a maximum $50,000 bounty.
TON Wallet Introduces Yield Vaults for BTC, ETH, and USDT Directly in Telegram
TON Wallet has launched yield vaults for BTC, ETH, and USDT directly within Telegram, offering up to 18% APY on stablecoins through partnerships with Morpho, TAC, and Re7.
Weekly Recap: Aave Ecosystem Rescue Mobilizes 100,000 ETH and Quantum Computer Cracks 15-Bit ECC Key
Bitcoin held near $78,000, the DeFi community rallied over 100,000 ETH to help Aave recover from the Kelp hack, and a researcher cracked a 15-bit ECC key on a quantum computer.
Stablecoin Transfer Volume Hits $10.5 Trillion in January — Highest Since April 2022
January stablecoin transaction volume surpassed $10.5 trillion, marking the highest monthly figure since April 2022. USDC led transfers while USDT maintained market cap dominance.
Top 10 Dollar Stablecoins in 2026: From Dominant Players to Exit Candidates
The stablecoin market has surpassed $311 billion in total capitalization. Here's a breakdown of the ten largest USD-pegged stablecoins — from undisputed leaders Tether and Circle to ambitious newcomers.