Zoth, a decentralized finance (DeFi) protocol focused on restaking real-world assets, has suffered a major security breach that led to losses exceeding $8.4 million.
The company confirmed the exploit shortly after it was detected by blockchain security firm Cyvers. In response, Zoth took its website offline for maintenance as the team launched an investigation and began working with partners to minimize further damage.
Rapid Attack Execution Raises Alarms
The incident was first flagged on March 21 by Cyvers, which identified unusual activity from Zoth’s deployer wallet. The attacker acted swiftly, extracting over $8.4 million worth of crypto assets and converting them into DAI stablecoins. Within minutes, the funds were moved to a new wallet, complicating recovery efforts.
PeckShield, another blockchain analytics firm, later reported that the stolen DAI was swapped for Ethereum (ETH), a more liquid asset often used by attackers to obscure transaction trails. Once in ETH, the funds can be hidden through decentralized exchanges or mixing services, making tracking extremely difficult.
Admin Privilege Exploit Behind the Breach
Unlike many DeFi attacks that exploit smart contract bugs, this attack was likely caused by a misuse of admin privileges. Security researchers found that just 30 minutes before the theft, one of Zoth’s smart contracts was upgraded through a suspicious address. This unauthorized update gave the attacker full control over the protocol’s funds.
Instead of breaking the contract’s logic, the hacker appears to have used access typically reserved for administrators to deploy a malicious version of the contract. This method suggests a well-planned operation that avoided the usual detection methods tied to code vulnerabilities.
Experts believe this exploit could have been prevented with better safeguards. Suggested improvements include:
Multisignature Authentication: Requiring multiple signatures for important changes would stop a single compromised admin from taking over.
- Timelocks on Updates: Delaying changes gives security teams time to act if something looks suspicious.
- Real-Time Alerts: Automated notifications when admin roles change could trigger quicker responses to threats.
- Decentralized Governance: Spreading control across a community or automated system can help prevent unauthorized actions by a single actor.
Zoth’s exploit adds to a growing list of DeFi attacks involving central admin key access. Although DeFi aims to eliminate central points of failure, many protocols still depend on privileged admin rights. This contradiction leaves systems vulnerable to targeted attacks