SlowMist analyzes the cause of the ZetaChain attack: the GatewayZEVM contract's call function lacks access control.

CoinFeed reported on April 28th that, according to SlowMist's analysis, the root cause of the ZetaChain attack lies in the lack of access control and input validation in the GatewayZEVM contract's `call` function. This allows any user to initiate cross-chain calls through GatewayZEVM and execute arbitrary operations on external chains via relays. Attackers exploited this vulnerability to construct malicious cross-chain events on ZetaChain. After the relay captured these events, malicious calls were executed on the target chain via TSS, thereby stealing funds. Previous reports indicated that ZetaChain's GatewayEVM contract had been attacked, the attack route had been blocked, and user funds were safe.