Real-world asset (RWA) re-staking protocol Zoth loses $8.4M to hackers

• Zoth has lost $8.4M in a hack due to a compromised deployer wallet.
• Admin privilege leak is being blamed for the attack.
• The attacker swapped stolen USD0++ to DAI and ETH, evading tracking.

Zoth, a real-world asset (RWA) re-staking protocol designed to bridge traditional finance with blockchain technology, has suffered an exploit that drained over $8.4 million in crypto assets.

The incident, flagged by blockchain security firm Cyvers just after midday, sent shockwaves through the ecosystem, prompting Zoth to halt operations and place its website into maintenance mode as the team scrambled to respond.

The breach unfolded with alarming speed and precision, exposing vulnerabilities in Zoth’s infrastructure.

According to Cyvers, the protocol’s deployer wallet—the critical administrative backbone of the system—was compromised. Roughly 30 minutes before the hack was detected, an attacker upgraded the “USD0PPSubVaultUpgradeable” proxy contract to a malicious version, deployed from a suspicious address.

🚨ALERT🚨Our system has detected a suspicious transaction involving @zothdotio . It appears that the protocol's deployer wallet has been compromised.

30 minutes ago, the proxy contract "USD0PPSubVaultUpgradeable" was upgraded to a contract created by a suspicious address.
The… pic.twitter.com/3OHmvJYpR5

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) March 21, 2025

This swift manoeuvre allowed the hacker to bypass existing security measures, granting them instant control over user funds and enabling the withdrawal of $8.4 million worth of USD0++ tokens.

In the minutes following the theft, the attacker wasted no time covering their tracks. The stolen assets were rapidly converted into the DAI stablecoin and funnelled to a separate address, a move designed to obscure the funds’ origins.

Later, as reported by blockchain analytics firm PeckShield, the hacker swapped the assets into Ethereum (ETH), valued at approximately $1,967 per unit at the time, further complicating efforts to trace the loot.

#PeckShieldAlert @zothdotio hacker has swapped the stolen funds for 4,223 $ETH pic.twitter.com/OAlYk1TqJg

— PeckShieldAlert (@PeckShieldAlert) March 21, 2025

This sophisticated sequence of transactions underscored the attacker’s familiarity with DeFi mechanics and their intent to evade recovery attempts.

Zoth has acknowledged the hack

Zoth’s team was quick to acknowledge the breach, issuing a security notice on X at 3:02 AM PDT on March 21. They confirmed the incident and assured users that they were investigating with urgency, collaborating with partners to mitigate the fallout.

The platform has vowed to release a comprehensive report once it completes its probe, a promise echoed in its commitment to transparency amid the chaos.

Security Notice

Our system has experienced a security breach. We’re actively investigating the incident and taking all necessary steps to resolve it as swiftly as possible.

We are working closely with our partners to mitigate the impact and fully resolve the issue. A detailed…

— ZOTH (@zothdotio) March 21, 2025

For a protocol that had raised $4 million in August 2024 to tokenize secure assets like US Treasury Bills, the hack was a stark reminder of the risks lurking in even the most promising DeFi ventures.