Zoth ZeUSD Malicious Proxy Upgrade via Deployer Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. Please help restructure the content by moving information from the 'General Prevention' sections to other prevention sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Zoth.io Logo/Homepage

Zoth.io is the first restaking layer designed specifically for Real-World Assets (RWAs). With over $250M in assets originated, $35.4M TVL, and a strong community, Zoth offers institutional-grade security, seamless cross-chain integrations, and innovative products like ZeUSD and ZothFI’s fixed-income offerings. On March 21st, 2025, Zoth suffered an $8.45M exploit due to a sophisticated attack combining social engineering and contract upgrade vulnerabilities. The attacker compromised admin privileges, deployed a malicious contract, and drained funds via low-level delegatecall operations. Despite the breach, Zoth has maintained community support and is pursuing a hybrid recovery plan involving stable assets, vested $ZOTH tokens, and buyback mechanisms, while reinforcing its security infrastructure for the future.[1][2][3][4][5][6][7][8][9][10][11][12][13]

About Zoth.io

Zoth.io is the world’s first restaking layer purpose-built for Real-World Assets (RWAs), aiming to bridge the gap between traditional finance (TradFi) and decentralized finance (DeFi). It is designed to break down institutional barriers while simplifying access for retail users, thereby enabling a scalable, community-first RWAFi (Real-World Asset Finance) ecosystem. Through its permissionless infrastructure and composable financial instruments, Zoth transforms dormant RWAs into yield-generating opportunities.

Zoth.io is featured in industry-leading platforms such as Messari, and has rapidly gained traction with over $250 million in assets originated, $35.4 million in total value locked (TVL), and a community of over 1 million strong. The platform has active integrations across 7+ blockchain networks and is trusted by names like Chainlink, Ripple, Manta, Metis, and more, highlighting its robust ecosystem and credibility.

Zoth.io is transparent in its operations, supported by a comprehensive documentation suite and a focus on institutional-grade security. It ensures users can safely deposit high-quality on-chain and off-chain assets such as U.S. Treasury Bills and ETFs into collateral vaults. These assets are used to mint ZeUSD, a fully composable, permissionless, and omnichain stable token designed to unlock DeFi and RWAfi use cases.

Zoth.io is built to #ScaleRWAFi by supercharging the utility of real-world assets. Its infrastructure allows users to re-stake assets to generate rewards, access liquidity across chains, and benefit from permissionless but compliant issuance. ZeUSD can seamlessly integrate with DeFi platforms, DEXs, and liquidity pools, making it a versatile tool for yield generation and financial innovation.

Zoth.io is offering institutional-grade investment products via ZothFI, including ZTLN-P (Zoth Tokenized Liquid Notes Prime) offering up to 4–5% APY and ZSTF (Zoth Secured Trade Finance) offering up to 12% APY. These products are designed to appeal to accredited and institutional investors seeking low-risk, high-quality fixed-income portfolios without long lock-in periods.

Zoth.io is deeply community-driven, with vibrant participation across platforms like X (260K), Discord (180K), and Telegram (106K). It continues to make headlines, with milestones like launching ZeUSD, joining Ripple’s accelerator program, and partnering with institutions such as Plume, Singularity Finance, and Chainlink.

Zoth.io is shaping the future of onchain finance by providing the infrastructure necessary to tokenize trillions in untapped RWAs and integrate them seamlessly into DeFi. By combining robust financial tools with permissionless access and institutional credibility, Zoth is laying the foundation for a truly inclusive financial future.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Zoth's ZeUSD implementation fell victim to an $8.4m exploit due to compromised operational security, over-permissive administrative privileges, and the absence of sufficient safeguards on contract upgrade pathways

Key Event Timeline - Zoth ZeUSD Malicious Proxy Upgrade via Deployer Exploit
Date Event Description
March 1st, 2025 9:22:00 AM MST ZeUSD Goes Live Tweet Zoth announces that ZeUSD is now officially live and accessible to everyone, marking a major milestone after a successful beta and pre-deposit phase that saw over $28 million issued. Public minting is now available through Atlas, Zoth’s on-chain portal, making it easier than ever for users to join the ZeUSD ecosystem. This launch opens up the door for anyone to tap into on-chain RWA yields by simply minting and holding ZeUSD.
March 21st, 2025 2:46:59 AM MDT Zoth Smart Contract Upgrade The Zoth smart contract is upgraded.
March 21st, 2025 2:47:35 AM MDT Ethereum Transaction Funds are withdrawn from the Zoth smart contract.
March 21st, 2025 4:02:00 AM MDT Zoth Security Notice Zoth posts a security notice confirming a system breach and assures the community that an active investigation is underway. The team is collaborating with partners to minimize the impact and fully resolve the incident. Zoth commits to sharing a comprehensive report once the investigation is complete and thanks users for their patience and understanding.
March 21st, 2025 12:26:00 PM MDT Zoth Security Bounty Zoth announces a $500,000 security bounty in response to the breach, aiming to identify the hacker and recover stolen assets. Zoth is reportedly collaborating with leading experts and will release a full report once the investigation concludes. The team encourages anyone with relevant information to contact them and thanks the community for its continued support.
March 22nd, 2025 8:05:00 AM MDT Zoth Security Update Zoth provides an update on the recent security incident, revealing that the protocol was exploited through a malicious proxy upgrade after the attacker gained unauthorized access to the deployer account. This allowed them to withdraw funds from a vault containing USD0++ collateral. The attack was premeditated, with on-chain activity showing weeks of preparation and multiple failed attempts before success. A portion of the stolen funds has been traced to a specific wallet, while 73% of Zoth’s TVL was secured in collaboration with asset issuer partners. The team is working with security experts, including Crystal Blockchain BV, and will release a full report in the coming weeks. A $500,000 bounty remains in place for information leading to fund recovery.
March 24th, 2025 8:56:00 AM MDT Zoth Progress Update Zoth provides another update on its ongoing security investigation, confirming continued progress in collaboration with global forensic experts and law enforcement agencies. Monitoring systems are now active, and an additional recovery agency has been brought on board to accelerate efforts. The team remains committed to asset recovery and promises further updates as developments unfold.
March 26th, 2025 10:15:03 AM MDT Halborn LinkedIn Post Halborn posts on LinkedIn, which includes both March attacks against Zoth. It heavily discusses the second and much larger attack near the end of March.
March 27th, 2025 9:28:00 AM MDT Zoth Law Enforcement Zoth provides an update on its security incident investigation, stating that its team and intelligence partners are actively tracing the stolen funds and sharing findings with both on-chain and Web2 platforms. The attacker’s wallets currently hold over 4,200 ETH, and interactions with various platforms have been identified. Zoth is working closely with law enforcement and plans to release a detailed postmortem report and recovery roadmap soon. The team reaffirms its commitment to transparency and rebuilding a stronger ecosystem with the community's continued support.
March 30th, 2025 7:52:00 AM MDT Zoth Around The Clock Zoth issues another update confirming that while no significant fund movement has occurred since the last report, investigations remain active and ongoing. The team continues to monitor the attacker’s wallets in real time, collaborate with on-chain analytics partners to trace the digital trail, and coordinate with law enforcement on next steps. Zoth reaffirms its commitment to transparency and promises a detailed postmortem and recovery roadmap once investigations are complete, thanking the community for its continued trust and support.
April 10th, 2025 10:30:00 AM MDT Zoth Publishes PostMortem Zoth publishes a post-mortem report, which includes next steps for their partners and community. The attack, traced to a sophisticated social engineering breach of a service provider, allowed the attacker unauthorized admin-level access and a malicious contract upgrade, resulting in the theft of approximately $8.45 million from a collateral vault. Zoth immediately froze $20 million in remaining assets and launched an extensive investigation with cybersecurity firms, on-chain forensic experts, and law enforcement. The team is offering a $500,000 bounty for information leading to fund recovery and is pursuing a hybrid compensation model for affected users, while implementing robust new security measures and preparing for a secure platform relaunch.
April 16th, 2025 1:38:00 AM MDT Zoth Still Here Strong Zoth tweets that they are "still here" and "[s]tronger than ever" along with a collage of supportive tweets from their community.

Technical Details

The Zoth exploit was a highly sophisticated attack that involved both social engineering and advanced smart contract manipulation. The attacker first targeted a service provider used by Zoth’s infrastructure, executing a social engineering campaign that ultimately compromised access to the Zoth deployer wallet—an admin-privileged account with the authority to upgrade contracts. With this access, the attacker was able to deploy a malicious implementation contract using the upgradeToAndCall function. This contract was engineered to take over the logic of the proxy contract, which governed access to user funds stored in sub-vaults.

Once the malicious contract was in place, the attacker leveraged Ethereum’s low-level delegatecall opcode. This allowed the injected malicious logic to execute in the context of the proxy contract, giving the attacker full control over its storage and permissions. This effectively gave the attacker direct access to user assets within a specific sub-vault, which they then drained of approximately $8.45 million in crypto collateral, primarily USD0++.

The attacker’s method also showed signs of persistence and planning. Forensic investigators identified that the same malicious contract—0xc89d7894341e13d5067d003af5346b257d861f56—had been used in multiple failed attempts prior to the successful breach. The attacker’s wallets were funded through obfuscation layers like bridges, centralized exchanges (e.g., HTX and ChangeNOW), and VPN services to conceal their identity and source of funds. Further technical investigation revealed that the attacker employed fileless malware techniques using WMI (Windows Management Instrumentation) to maintain persistence and avoid detection, evidenced by suspicious service names and the absence of proper log timestamps on the compromised system.

Ultimately, the attack was enabled by a combination of compromised operational security, over-permissive administrative privileges, and the absence of sufficient safeguards on contract upgrade pathways. These weaknesses allowed the attacker to bypass protocol governance and execute unauthorized withdrawals, highlighting the critical need for enhanced access controls, monitoring, and secure upgrade mechanisms in smart contract protocols.

Total Amount Lost

Rekt.news reports $8.4m.

The total amount lost has been estimated at $8,512,000 USD.

Immediate Reactions

The incident was announced and regular updates were provided. The community appears to remain largely supportive of the project.

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

"Our main goal in overcoming this unfortunate setback is to ensure that our users are offered a fair and equitable resolution plan aided by the ethos of our product structure.

Since ZeUSD, the product affected in the incident, was structured to isolate risk and limit exposure to underlying assets, we are working towards a hybrid recovery model approach that offers capital preservation through stable assets and $ZOTH vested tokens derived from core contributor allocation or potential partner tokens, with additional support from a recovery fund for direct repayments or token buybacks."

There do not appear to have been any funds recovered in this case.

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The Zoth exploit could have been prevented—or its impact significantly mitigated—through a combination of stronger operational security, tighter smart contract upgrade controls, and layered security practices.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. KiloEx - Rekt (Accessed Apr 21, 2025)
  2. Chaofan Shou - ".@KiloEx_perp is hacked. $6M+ loss already. Likely due to price oracle access control issues." - Twitter/X (Accessed Apr 21, 2025)
  3. Cyvers Alerts - "An address funded via @TornadoCash has executed a series of exploitative transactions on the $BNB, $Base, and $Taiko chains — accumulating approximately $7M in total." - Twitter/X (Accessed Apr 21, 2025)
  4. Chaofan Shou - "Anyone can change the Kilo's price oracle. lol" - Twitter/X (Accessed Apr 21, 2025)
  5. KiloEx - "Security Incident Announcement: KiloEx Vault Exploit" - Twitter/X (Accessed Apr 22, 2025)
  6. PeckShield - "The @KiloEx_perp protocol was hacked today with a loss of ~7.5m ($3.3m in base, $3.1m in opBNB, $1m in BSC)." - Twitter/X (Accessed Apr 22, 2025)
  7. Binance-Backed DEX KiloEX Suspends Operations Following $7.5 Million Exploit - Decrypt (Accessed Apr 22, 2025)
  8. KiloEx's KILO Token Surges as Funds Recovered Swiftly After ‘Sophisticated’ Hack - CoinDesk (Accessed Apr 22, 2025)
  9. Attacker Profits 3,125,495.724597 USDC - BaseScan (Accessed Apr 22, 2025)
  10. Attacker Profits 892,937.51908942 BSC-USD - BNBScan (Accessed Apr 22, 2025)
  11. Attacker Profits 2,885,961.64279485 USDT - OPBNBScan (Accessed Apr 22, 2025)
  12. Attacker Profits 40,959.971124 USDC - TaikoScan (Accessed Apr 22, 2025)
  13. Attacker Profits 100,000 USDT - Manta Network (Accessed Apr 22, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Zoth_ZeUSD_Malicious_Proxy_Upgrade_via_Deployer_Exploit&oldid=6677"