Ethereum Real world asset platform Zoth underwent an attack which led to a loss of $ 8.85 million. Security experts believe that the hack, the second suffered by the company in a month, came after a private key leak.
Friday morning, a zoth proxy contract was improved by which security company Cyres called a “suspicious address”. Shortly after, $ 8.85 million in stablecoin USD0 ++ was transferred outside the proxy contract in the attacker’s portfolio before all funds were exchanged in Dai and moved to another address. The striker later exchanged the funds stolen against 4,223 Ethn ($ 8,300,800).
“Our team actively investigates the situation alongside our security partners,” said a spokesperson for Zoth Decipher. “We want to assure you that we take all the necessary measures to mitigate the impact and solve the problem.”
Security notice
Our system has experienced a safety break. We actively investigate the incident and take all the necessary measures to resolve it as quickly as possible.
We work in close collaboration with our partners to mitigate the impact and fully solve the problem. A detail …
– Zoth (@zothdotio) March 21, 2025
A proxy contract is a intelligent contract This, among others, transmits calls and funds to other contracts called implementation contracts to facilitate the proper functioning of business – it is very common in the world of Challenge.
In this feat, it seems that the attacker had access to the private key for the proxy contract which allowed them to update it, by modifying the address of the implementation contract in his own portfolio. This then made it possible to send all funds from the interior of the proxy contract directly to the attacker.
“This type of attack generally occurs when an attacker access unauthorized access to private keys controlling a portfolio or intelligent contract, allowing them to transfer funds outside the system”, a spokesperson for Peckshield said Decipher.
“The attacker accessed the administrator, probably by a key or a feat disclosed,” according to Hakan Unnal, a senior scientist of the blockchain at Cyvers. He added that it is likely that Zoth has several proxy contracts, such as This contract Hold $ 12.28 million Usyc–This means that more funds could also be in danger if they share the same administrative access.
Zoth did not comment on how the private key to the contract fell into the hands of the attacker, but said Decipher That he will publish an update once he has completed his investigation.
Cyvers suggested that the implementation of real -time surveillance that alerted the company when administrative roles or contractual upgrades could have helped to prevent this attack.
It seems to be the second hack to hit the Challenge Project in the space of a month, after the project lost $ 285,000 following an attack on March 6. It came Following a feat in a liquidity pool which allowed the attacker to hit Zeusd without depositing a sufficient guarantee, according to the Smart Solidity Scan contract audit.
Zoth did not respond to DecipherRequest for comments on this second attack.
Start every day with the best reports at the moment, as well as original features, a podcast, videos and more.
