The re-staking protocol for real-world assets (RWA), Zoth, fell victim to an exploit that resulted in losses exceeding $8.4 million, prompting the platform to enter maintenance mode.
On March 21, a blockchain security firm identified a concerning transaction linked to Zoth. They reported that the wallet of the protocol’s deployer had been breached, allowing the attacker to withdraw over $8.4 million worth of cryptocurrency.
The stolen assets were quickly converted into DAI stablecoin and subsequently transferred to a different wallet, as noted by the security firm.
In light of the breach, Zoth’s website was taken offline for maintenance. The protocol acknowledged the security incident and is actively working to rectify the issue as swiftly as possible.
The Zoth development team indicated that they are collaborating with partners to “mitigate the impact” and fully address the situation. They have committed to releasing a comprehensive report following the completion of their investigation.
Post-hack, the stolen funds have been moved and exchanged for Ether (ETH), according to information from another security firm.
Funds being relocated by the hacker. Source: Peckshield
Related: SMS scammers impersonating Binance have devised a more sophisticated method to deceive victims.
Admin Privilege Leak Likely the Cause of the Hack
The investigation team suggested that the incident underscores the weaknesses present in smart contract protocols and the critical need for improved security measures.
A senior member of the security team explained that the hack likely resulted from a leak in admin privileges. Approximately 30 minutes prior to the detection of the exploit, a Zoth contract had been upgraded to a malicious version from a questionable address.
“In contrast to typical exploits, this method circumvented security protocols, granting immediate control over user funds,” noted the security expert.
They emphasized that implementing multisig upgrades, introducing timelocks on contract updates to enable oversight, and placing real-time notifications for admin role changes could help avert such attacks. Enhanced key management practices were also recommended to prevent unauthorized access.
While there were preventative measures that could have been taken, the expert expressed concern that such attacks might persist in the decentralized finance (DeFi) space. They highlighted that compromised admin keys pose a substantial risk within the DeFi ecosystem.
“Without decentralized mechanisms for upgrades, attackers will persistently target privileged roles to seize control of protocols,” they concluded.
Magazine: Memecoins may be fading — But Solana is ‘100x better’ despite falling revenues.