Zoth Hack

On March 21, 2025, Zoth, an Ethereum-based real-world asset (RWA) restaking protocol, suffered its second exploit within the month, resulting in the theft of approximately $8.4 million in USD0++ tokens. The attacker compromised the deployer wallet’s private key, granting admin privileges to upgrade the USD0PPSubVaultUpgradeable proxy contract to a malicious implementation at address 0xc89d7894341e13d5067d003af5346b257d861f56, deployed on March 15. This allowed the unauthorized withdrawal of 8,851,750.373778311459263 USD0++ tokens (~$8,484,544) via transaction 0x33bf669d125d11c432ac9b52b9d56161101c072fd8b0ac2aa390f5760fb50ca4 to the attacker’s wallet 0x3b33c5cd948be5863b72cb3d6e9c0b36e67d01e5, funded seven days prior with 0.546 ETH via ChangeNOW. The funds were immediately swapped for 8,323,591.477168 DAI (~$8,319,354) and transferred to a second wallet 0x7b0cd0d83565adbb57585d0265b7d15d6d9f60cf, then converted to 4,223 ETH using CoW Swap and Uniswap V2 via transaction 0xef528f68bf9ed5e8b3d502435d4773fb70d4d682c8a019e20b6818692ade5dc3. A failed attempt occurred 20 hours earlier (transaction 0xeb87081cfb61a5ec8ebab8a4e9e4734af51cdd2317c43c6c96e58394870f2b1f), indicating a planned attack with testing. This followed a March 6 liquidity pool exploit causing $285,000 losses. Blockchain security firms Cyvers and PeckShield detected the incident shortly after, flagging the suspicious upgrade. Zoth’s team confirmed the breach, placed the website in maintenance mode, collaborated with security partners to mitigate impacts, and offered a $500,000 bounty for information leading to the hacker’s identification and fund recovery. They pledged a detailed post-mortem report upon investigation completion. The ZOT token price dropped over 21.9% post-exploit. The incident underscores vulnerabilities in single-key protected admin wallets and proxy upgrades, advocating for multi-signature setups, timelocks, regular audits, and robust off-chain key security to prevent such insider-like compromises without code flaws.