Zoth Suffers Security Breach as Attacker Drains $8.4 Million in Crypto Assets

Highlights:

• Zoth lost $8.4 million after an attacker gained control of its deployer wallet and upgraded a proxy contract.
• Experts have noted that the attack resulted from leaked admin privileges and poor management of private keys.
• The company has not disclosed how the attacker gained admin privileges.

Zoth, a restaking protocol, has suffered a serious security breach. The security breach has resulted in the loss of $8.4 million in assets. Blockchain security firm Cyvers Alerts reported that the attacker gained access to the protocol’s deployer wallet, which allowed them to execute a suspicious transaction.

Security Notice

Our system has experienced a security breach. We’re actively investigating the incident and taking all necessary steps to resolve it as swiftly as possible.

We are working closely with our partners to mitigate the impact and fully resolve the issue. A detailed…

— ZOTH (@zothdotio) March 21, 2025

The breach occurred after a proxy contract called “USD0PPSubVaultUpgradeable” was upgraded about 30 minutes before the funds were stolen. The upgrade was linked to a contract created by an address associated with the attacker. The address enabled the unauthorized withdrawal. The attacker drained $8.4 million worth of stablecoin USD0++, converted the stolen assets into DAI, and then transferred them to another wallet within minutes.

Following the attack, Zoth placed its website under maintenance while confirming the breach in an official statement. The team said they are working with partners and will share a full report once the investigation is complete.

Security Gaps Cited as Key Cause of the Exploit

Cyvers later revealed that the attacker likely gained control through a leak in admin privileges, which made the breach possible. Cyvers reported that the attacker performed the Zoth proxy contract upgrade to a harmful version approximately thirty minutes before the breach occurred.

This allowed the attacker to take control of funds instantly by bypassing the usual security measures that are in place. Experts in security from PeckShield confirmed that the attacker gained access to the private key of the contract, which enabled them to update the contract and redirect the funds.

#PeckShieldAlert @zothdotio hacker has swapped the stolen funds for 4,223 $ETH pic.twitter.com/OAlYk1TqJg

— PeckShieldAlert (@PeckShieldAlert) March 21, 2025

PeckShield stated that once the attacker had control, the funds were first converted into DAI, later swapped for 4,223 ETH, and finally moved to another address. Security experts explained that this attack type could be avoided through several prevention measures, which included multisig contract upgrades. The addition of multisig contract upgrades would have minimized the chance of individual failure points occurring in system operations.

They also recommended adding timelocks to upgrades, which would provide a window to monitor activities that seem suspicious. In addition, they would set real-time notifications in case an admin role changes. Zoth did not disclose how the attacker obtained access to the private key or how many more contracts could be at risk.

Second Breach in a Month Raises Concerns

The recent attack marks the second time Zoth has been targeted this month, following a $285,000 exploit earlier in March. In the earlier incident, a flaw in a liquidity pool allowed an attacker to mint ZeUSD without depositing enough collateral.

The second breach has intensified concerns, as security researchers noted that other contracts linked to Zoth could still be exposed. Cyvers said that continuous monitoring and decentralization of upgrade mechanisms would help reduce the risk of future attacks. The attack comes after the biggest hack on the crypto exchange Bybit occurred recently.