Zoth, a platform for real-world assets built on Ethereum, has experienced an $8.85 million hack after intruders successfully accessed a private key.
This incident represents the second significant security breach for Zoth within a month, underscoring persistent vulnerabilities in decentralized finance protocols.
The attacker is believed to have compromised the protocol’s deployer wallet, enabling them to upgrade the “USD0PPSubVaultUpgradeable” proxy contract to one that they controlled.
This tactic allowed the hacker to withdraw $8.4 million in Zoth’s USD0++ stablecoin, which was then swiftly exchanged for 8.3 million DAI and transferred to an external wallet.
In response, Zoth has taken its website offline for maintenance, collaborating with security experts to evaluate the extent of the damage and to avert further attacks.
Proxy contract compromise
Proxy contracts, commonly utilized in DeFi for their upgradability, pose a risk when the private keys securing them are breached. The unauthorized upgrade in this incident illustrates how attackers can exploit contract logic to divert funds without facing resistance.
This breach comes on the heels of a previous exploit on March 6, during which Zoth lost $285,000 due to vulnerabilities in a liquidity pool. These recurrent security issues raise alarms about the platform’s risk management practices and may attract regulatory attention.