Zoth Platform Faces Second Security Breach, Resulting in $8.85 Million Loss
Zoth, a platform built on the Ethereum blockchain that focuses on tokenizing real-world assets, experienced its second major security breach in less than three weeks on March 21. During this incident, hackers were able to drain $8.85 million in digital assets from the platform.
Confirmation and Investigation
The company has confirmed the breach and is currently working with security experts to investigate the incident further.
Bounty Offered for Hacker Identification
Zoth has announced a $500,000 bounty for any information that leads to the identification of the hacker responsible for the recent exploit.
Details of the Breach
The hack took place in the early hours of March 21 when the attacker compromised an admin key and gained control of a Zoth proxy contract. By upgrading the contract, the hacker was able to facilitate unauthorized fund transfers.
- $8.85 million in USD stablecoins were drained from the contract.
- The stolen funds were converted into 4,223 ETH.
- The ETH was then transferred to an external wallet.
Previous Exploit
This is the second security breach that Zoth has faced this month. On March 6, another attacker exploited a vulnerability in one of the platform’s liquidity pools, resulting in a $285,000 loss.
Security Measures and Future Plans
Security experts believe that better key management and real-time monitoring could have prevented these breaches. They also warn that other contracts within the platform may be at risk if they share the same admin access.
Zoth has not confirmed whether affected users will be reimbursed but has stated its commitment to enhancing security measures to prevent similar incidents in the future.
Risks in Decentralized Finance
These incidents highlight the risks associated with decentralized finance platforms, especially those that rely on centralized admin controls. Blockchain security firms have reported a significant increase in sophisticated key compromises, resulting in over $10 billion in losses from DeFi-related exploits over the past five years.
The company has not disclosed how the attacker obtained the private key but has promised to provide updates as the investigation progresses.
