Ethereum-based real-world asset (RWA) platform Zoth has been hit by a major exploit, resulting in the loss of $8.85 million. The attack, which security researchers believe stemmed from a private key leak, marks the second major security breach the platform has suffered in less than a month.
According to blockchain security firm Cyvers, the breach began when a Zoth proxy contract was upgraded by a suspicious address, granting the attacker control. Immediately after the upgrade, the attacker drained stablecoins (USD0++) from the contract, swapped them for DAI, and then converted them into 4,223 ETH (~$8.3 million). All activity was executed through a series of transactions designed to obscure the origin and destination of funds.
How the Exploit Worked
At the core of this hack was Zoth’s use of proxy contracts, a common DeFi practice that allows smart contracts to be upgraded or redirected via administrative control. In this case, the attacker managed to gain admin access, likely by acquiring the private key used to control the contract. Once access was secured, the attacker pointed the proxy contract to a malicious implementation, enabling them to drain the contract’s holdings.
“This type of attack typically occurs when an attacker gains unauthorized access to the private keys controlling a wallet or smart contract,” said a spokesperson from blockchain security firm PeckShield. Hakan Unal of Cyvers added that if multiple Zoth contracts share the same admin key, more funds—such as a separate contract holding $12.28 million in USYC—could be at risk.
A Pattern of Vulnerability
This latest breach comes just two weeks after a previous hack on March 6, which cost Zoth approximately $285,000. That incident was traced to a vulnerability in a liquidity pool, where attackers were able to mint ZeUSD without posting sufficient collateral. Smart contract auditing firm Solidity Scan flagged this earlier exploit, but it appears broader internal risks were not yet addressed.
While Zoth has yet to reveal exactly how the key was compromised, the platform said it’s working with security partners to investigate. “We want to assure you that we are taking every necessary measure to mitigate the impact and resolve the issue,” a company spokesperson said in a statement.
Could This Have Been Prevented?
Cyvers suggested that real-time monitoring of admin changes and contract upgrades could have prevented—or at least quickly flagged—the attack. Many DeFi projects lack proactive infrastructure for detecting and halting suspicious admin-level activity, often reacting only after damage is done.
The Zoth exploit adds to a long list of DeFi hacks, with over $10 billion in losses to exploits and scams in the past five years, according to Chainalysis. Despite being part of a rapidly maturing industry, many DeFi platforms still lack basic security measures, making them vulnerable to targeted attacks.
Zoth’s situation now serves as another warning for the entire DeFi sector: without serious investment in key management, monitoring tools, and audit processes, the promises of decentralized finance remain fragile.