Zoth DeFi Protocol Hack - March 21, 2025
Overview
Zoth, a real-world asset protocol, suffered a major security breach resulting in $8.4 million in losses within weeks of a previous $285,000 attack.
What Happened
On March 21, 2025, attackers compromised Zoth's deployer wallet and executed a contract upgrade that drained the protocol's vaults. The operation was completed in minutes, converting 8.85 million USD0++ tokens to DAI before transferring funds away.
Technical Root Cause
The attack exploited compromised admin credentials rather than code vulnerabilities. The Zoth team noted: *"Our system has experienced a security breach"* and investigations revealed the attacker had been conducting reconnaissance for weeks with multiple failed attempts before successfully breaching the system.
Attack Vector/Exploit Steps
1. Compromised deployer wallet access
2. Upgraded the proxy contract "USD0PPSubVaultUpgradeable"
3. Executed precision swap of USD0++ tokens to DAI
4. Transferred funds to attacker-controlled address
5. Complete extraction within minutes
Financial Impact
• Primary loss: $8.4 million USD0++
• Secondary context: Third $285,000 exploit occurred March 1, 2025
• Mitigation: Asset issuers locked down 73% of TVL post-breach
On-Chain Evidence
• Attacker Address: 0x3b33c5Cd948Be5863b72cB3D6e9C0b36E67d01E5
• Victim Address: 0x82f3a0392F58C50fa90542519832471BaE93e43e
• Attack Transaction: 0x33bf669d125d11c432ac9b52b9d56161101c072fd8b0ac2aa390f5760fb50ca4
• Final Destination: 0x7b0cd0D83565aDbB57585d0265b7D15d6D9f60cf
Remediation
• Zoth & Securr established a $500,000 bounty for fund recovery (10% of recovered assets)
• Engaged Crystal Blockchain BV for investigation
• Promised detailed incident report within weeks
Key Takeaway
The breach underscores that administrative key compromise—not code flaws—remains DeFi's most dangerous vulnerability.