QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$8 512 000 USD
MARCH 2025
GLOBAL
ZOTH.IO
DESCRIPTION OF EVENTS
Zoth.io is the world’s first restaking layer purpose-built for Real-World Assets (RWAs), aiming to bridge the gap between traditional finance (TradFi) and decentralized finance (DeFi). It is designed to break down institutional barriers while simplifying access for retail users, thereby enabling a scalable, community-first RWAFi (Real-World Asset Finance) ecosystem. Through its permissionless infrastructure and composable financial instruments, Zoth transforms dormant RWAs into yield-generating opportunities.
Zoth.io is featured in industry-leading platforms such as Messari, and has rapidly gained traction with over $250 million in assets originated, $35.4 million in total value locked (TVL), and a community of over 1 million strong. The platform has active integrations across 7+ blockchain networks and is trusted by names like Chainlink, Ripple, Manta, Metis, and more, highlighting its robust ecosystem and credibility.
Zoth.io is transparent in its operations, supported by a comprehensive documentation suite and a focus on institutional-grade security. It ensures users can safely deposit high-quality on-chain and off-chain assets such as U.S. Treasury Bills and ETFs into collateral vaults. These assets are used to mint ZeUSD, a fully composable, permissionless, and omnichain stable token designed to unlock DeFi and RWAfi use cases.
Zoth.io is built to #ScaleRWAFi by supercharging the utility of real-world assets. Its infrastructure allows users to re-stake assets to generate rewards, access liquidity across chains, and benefit from permissionless but compliant issuance. ZeUSD can seamlessly integrate with DeFi platforms, DEXs, and liquidity pools, making it a versatile tool for yield generation and financial innovation.
Zoth.io is offering institutional-grade investment products via ZothFI, including ZTLN-P (Zoth Tokenized Liquid Notes Prime) offering up to 4–5% APY and ZSTF (Zoth Secured Trade Finance) offering up to 12% APY. These products are designed to appeal to accredited and institutional investors seeking low-risk, high-quality fixed-income portfolios without long lock-in periods.
Zoth.io is deeply community-driven, with vibrant participation across platforms like X (260K), Discord (180K), and Telegram (106K). It continues to make headlines, with milestones like launching ZeUSD, joining Ripple’s accelerator program, and partnering with institutions such as Plume, Singularity Finance, and Chainlink.
Zoth.io is shaping the future of onchain finance by providing the infrastructure necessary to tokenize trillions in untapped RWAs and integrate them seamlessly into DeFi. By combining robust financial tools with permissionless access and institutional credibility, Zoth is laying the foundation for a truly inclusive financial future.
The Zoth exploit was a highly sophisticated attack that involved both social engineering and advanced smart contract manipulation. The attacker first targeted a service provider used by Zoth’s infrastructure, executing a social engineering campaign that ultimately compromised access to the Zoth deployer wallet—an admin-privileged account with the authority to upgrade contracts. With this access, the attacker was able to deploy a malicious implementation contract using the upgradeToAndCall function. This contract was engineered to take over the logic of the proxy contract, which governed access to user funds stored in sub-vaults.
Once the malicious contract was in place, the attacker leveraged Ethereum’s low-level delegatecall opcode. This allowed the injected malicious logic to execute in the context of the proxy contract, giving the attacker full control over its storage and permissions. This effectively gave the attacker direct access to user assets within a specific sub-vault, which they then drained of approximately $8.45 million in crypto collateral, primarily USD0++.
The attacker’s method also showed signs of persistence and planning. Forensic investigators identified that the same malicious contract—0xc89d7894341e13d5067d003af5346b257d861f56—had been used in multiple failed attempts prior to the successful breach. The attacker’s wallets were funded through obfuscation layers like bridges, centralized exchanges (e.g., HTX and ChangeNOW), and VPN services to conceal their identity and source of funds. Further technical investigation revealed that the attacker employed fileless malware techniques using WMI (Windows Management Instrumentation) to maintain persistence and avoid detection, evidenced by suspicious service names and the absence of proper log timestamps on the compromised system.
Ultimately, the attack was enabled by a combination of compromised operational security, over-permissive administrative privileges, and the absence of sufficient safeguards on contract upgrade pathways. These weaknesses allowed the attacker to bypass protocol governance and execute unauthorized withdrawals, highlighting the critical need for enhanced access controls, monitoring, and secure upgrade mechanisms in smart contract protocols.
Rekt.news reports $8.4m.
The incident was announced and regular updates were provided. The community appears to remain largely supportive of the project.
"Our main goal in overcoming this unfortunate setback is to ensure that our users are offered a fair and equitable resolution plan aided by the ethos of our product structure.
Since ZeUSD, the product affected in the incident, was structured to isolate risk and limit exposure to underlying assets, we are working towards a hybrid recovery model approach that offers capital preservation through stable assets and $ZOTH vested tokens derived from core contributor allocation or potential partner tokens, with additional support from a recovery fund for direct repayments or token buybacks."
Zoth.io is the first restaking layer designed specifically for Real-World Assets (RWAs). With over $250M in assets originated, $35.4M TVL, and a strong community, Zoth offers institutional-grade security, seamless cross-chain integrations, and innovative products like ZeUSD and ZothFI’s fixed-income offerings. On March 21st, 2025, Zoth suffered an $8.45M exploit due to a sophisticated attack combining social engineering and contract upgrade vulnerabilities. The attacker compromised admin privileges, deployed a malicious contract, and drained funds via low-level delegatecall operations. Despite the breach, Zoth has maintained community support and is pursuing a hybrid recovery plan involving stable assets, vested $ZOTH tokens, and buyback mechanisms, while reinforcing its security infrastructure for the future.
HOW COULD THIS HAVE BEEN PREVENTED?
The Zoth exploit could have been prevented—or its impact significantly mitigated—through a combination of stronger operational security, tighter smart contract upgrade controls, and layered security practices.
KiloEx - Rekt (Apr 21)
Chaofan Shou - ".@KiloEx_perp is hacked. $6M+ loss already. Likely due to price oracle access control issues." - Twitter/X (Apr 21)
Cyvers Alerts - "An address funded via @TornadoCash has executed a series of exploitative transactions on the $BNB, $Base, and $Taiko chains — accumulating approximately $7M in total." - Twitter/X (Apr 21)
Chaofan Shou - "Anyone can change the Kilo's price oracle. lol" - Twitter/X (Apr 21)
KiloEx - "Security Incident Announcement: KiloEx Vault Exploit" - Twitter/X (Apr 22)
PeckShield - "The @KiloEx_perp protocol was hacked today with a loss of ~7.5m ($3.3m in base, $3.1m in opBNB, $1m in BSC)." - Twitter/X (Apr 22)
Binance-Backed DEX KiloEX Suspends Operations Following $7.5 Million Exploit - Decrypt (Apr 22)
KiloEx's KILO Token Surges as Funds Recovered Swiftly After ‘Sophisticated’ Hack - CoinDesk (Apr 22)
Attacker Profits 3,125,495.724597 USDC - BaseScan (Apr 22)
Attacker Profits 892,937.51908942 BSC-USD - BNBScan (Apr 22)
Attacker Profits 2,885,961.64279485 USDT - OPBNBScan (Apr 22)
Attacker Profits 40,959.971124 USDC - TaikoScan (Apr 22)
Attacker Profits 100,000 USDT - Manta Network (Apr 22)
Security Incident Report: 10th April, 2025 | by ZOTH | Apr, 2025 | Medium (Apr 22)
https://x.com/zothdotio/status/1895872365034422771 (Apr 22)
https://x.com/0xtroll/status/1903015353611063345 (Apr 28)
