Zoth, an Ethereum-based platform dedicated to tokenizing real-world assets, experienced a significant security breach on March 21, marking the second such incident in under three weeks, which resulted in the loss of $8.85 million in digital assets.
The company has acknowledged the breach and is collaborating with security specialists to investigate the matter.
As part of its response, Zoth is offering a $500,000 reward for any information that leads to the identification of the hacker behind the recent $8.85 million exploit.
The attack unfolded early on March 21, when the perpetrator compromised an admin key, which allowed them to control a Zoth proxy contract. The hacker upgraded the contract, granting them the ability to execute unauthorized fund transfers.
Blockchain analysis reveals that $8.85 million worth of USD0++ stablecoins were siphoned from the contract and converted into 4,223 ETH, which was subsequently moved to an external wallet.
Zoth has acknowledged the breach and reassured users that they are taking measures to lessen the impact. The company committed to releasing a comprehensive report once their investigation concludes.
Second incident
This incident marks the second exploit targeting Zoth this month. Previously, on March 6, an attacker took advantage of a flaw in one of its liquidity pools, minting synthetic assets without adequate collateral, leading to a loss of $285,000.
Experts in security recommend that improved key management and real-time monitoring could have prevented the breach. They caution that further funds could be in jeopardy if other contracts within the platform have the same admin access vulnerabilities.
Zoth has not revealed whether affected users will be reimbursed but stated that it is dedicated to enhancing security measures to prevent future breaches.
This incident highlights the persistent risks that decentralized finance platforms face, especially those that rely on centralized admin controls. Security firms have noted a spike in sophisticated key compromises, with over $10 billion lost to exploits within the DeFi space over the past five years.
The company has not commented on how the attacker might have acquired the private key but has assured that updates will be provided once their investigation is complete.
