The L1 network ZetaChain published a post-mortem of a hacking incident that occurred on April 27. The team stated that the breach was due to a vulnerability in the cross-chain messaging mechanism.
On Apr 27, ZetaChain experienced a targeted exploit involving deliberate preparation, including Tornado Cash funding and wallet address spoofing.
β ZetaChain π© (@ZetaChain) April 29, 2026
Cross-chain ZETA transfers were not affected.
No user funds were affected β all impacted wallets were ZetaChain-controlled.
Aβ¦
The attack targeted the GatewayEVM contract, which serves as a single point of failure for interactions between external networks and applications within the ecosystem.
Users were not harmed: the exploit only affected three internal developer wallets. The total damage amounted to $333,868 (primarily in USDC and USDT). The attacker withdrew funds through nine transactions across Ethereum, Arbitrum, Base, and BSC.
Stolen assets. Source: ZetaChain.ZetaChain explained the hack as a combination of three factors:
- The network architecture allowed any user to make arbitrary calls with minimal restrictions;
- The GatewayEVM on the receiving side processed a wide range of commands, including transferFrom β allowing assets to be moved on behalf of another address with approval;
- Old unlimited approvals were not automatically revoked: users who previously deposited tokens via GatewayEVM.deposit() granted the contract unlimited rights to withdraw funds.
Developers believe the hacker prepared for the attack in advance: they funded their wallet through the crypto mixer Tornado Cash three days before the incident. The attacker employed the address poisoning method. After the theft, they converted the assets to ETH.
The ZetaChain team released a patch to the mainnet and fixed the vulnerability. Users were advised to revoke all old ERC-20 approvals.
Syndicate Hack and Aftermath
On April 28, the Ethereum infrastructure project Syndicate was hacked. The team detected "unusual movements" of native SYND tokens β presumably due to a compromise of the Commons cross-chain bridge.
We are investigating unusual movements in SYND tokens that may indicate a possible security issue.
β Syndicate (@syndicateio) April 29, 2026
We recommend avoiding provisioning any liquidity until this is resolved.
"We are tracking the attack and working with cybersecurity firms. We are also considering options for compensating losses. Syndicate has enough tokens to assist affected users," the developers stated.
The attack was confirmed by CertiK specialists, who estimated the damage at $330,000.
#CertiKInsight π¨
β CertiK Alert (@CertiKAlert) April 29, 2026
We have seen an exploit involving @syndicateio through a compromise of the Commons bridge.
This address acquired ~18.5M SYND and sold them for ~$330 K, which has been bridged to Ethereum.https://t.co/2KictJaGPV
Stay Vigilant!https://t.co/kmbcBFl3AM pic.twitter.com/EvfZFz2R6x
The attacker acquired approximately 18.5 million SYND, sold them, and transferred the assets to Ethereum.
In the wake of the incident, the coin's price dropped by more than 36% to $0.02, according to CoinGecko.
Meanwhile, CertiK reported a hack of the Aftermath Finance exchange within the Sui ecosystem. Experts indicated that the cybercriminal drained about $900,000 in USDC.
#CertiKInsight π¨
β CertiK Alert (@CertiKAlert) April 29, 2026
We have seen an exploit involving @AftermathFi.
~$900K USDC drained so far https://t.co/kC1BEonomP
Still under investigation.
Stay vigilant!
The project team stated that all marketplace products remain secure. According to the developers, the perpetual futures protocol was compromised.
Itβs worth noting that at the end of April, hackers attacked the DeFi project Scallop, draining approximately 150,000 SUI from the rewards pool.