Hacker steals $8.4M from RWA restaking protocol Zoth

Real-world asset (RWA) re-staking protocol Zoth suffered an exploit leading to over $8.4 million in losses, leading the platform to put its site on maintenance mode. 

On March 21, blockchain security firm Cyvers flagged a suspicious Zoth transaction. The security firm said that the protocol’s deployer wallet was compromised and that the attacker withdrew over $8.4 million in crypto assets. 

The blockchain security firm said that within minutes, the stolen assets were converted into the DAI stablecoin and were transferred to a different address. 

Cyvers added the protocol’s website had been maintained in response to the incident. In a security notice, the platform confirmed that it had a security breach. The protocol said it’s working to resolve the problem as soon as possible. 

The Zoth team said it worked with its partners to “mitigate the impact” and fully resolve the situation. The platform promised to publish a detailed report once its investigation is completed. 

Since the hack, the attackers have moved the funds and swapped the assets into Ether (ETH), according to PeckShield. 

Related: SMS scammers posing as Binance have an even trickier way to fool victims

Hack likely caused by admin privilege leak

In a statement, the Cyvers team said the incident highlights vulnerabilities in smart contract protocols and the need for better security. 

Cyvers Alerts senior SOC lead Hakan Unal told Cointelegraph that a leak in admin privileges likely caused the hack. Unal said that about 30 minutes before the hack was detected, a Zoth contract was upgraded to a malicious version deployed by a suspicious address. 

“Unlike typical exploits, this method bypassed security mechanisms and gave full control over user funds instantly,” the security professional said. 

The security professional told Cointelegraph that this type of attack could be prevented by implementing multisig contract upgrades to prevent single-point failures, adding timelocks on upgrades to allow monitoring and placing real-time alerts for admin role changes. Unal added that better key management is also advised to prevent unauthorized access. 

While the attack could be prevented, Unal believes that this type of attack may continue to be a problem in decentralized finance (DeFi). The security professional told Cointelegraph that admin key compromises remain a “major risk” in the DeFi ecosystem. 

“Without decentralized upgrade mechanisms, attackers will continue targeting privileged roles to take over protocols,” Unal added. 

Magazine: Memecoins are ded — But Solana ‘100x better’ despite revenue plunge