ZOTH, a platform based on Ethereum aimed at Tokenized Real-World assets, suffered a second major security breach in less than three weeks on March 21, in which attackers declined $ 8.85 million in digital assets.
The company confirmed the infringement and works together with security experts to investigate the incident.
Zoth also offers one $ 500,000 Bounty For information that leads to the identification of the hacker responsible for the recent $ 8.85 million exploit.
The hack, which took place early on March 21, concerned the attacker who joined an admin key and was in control of a ZOTT Proxy contract. The hacker has upgraded the contract, making it possible to do not -authorized fund transfers.
Onchain analysis shows that $ 8.85 million in USD0 ++ Stablecoins was removed from the contract and converted into 4,223 ETH, which was later moved to an external wallet.
Zoth acknowledged the infringement of security and insured users that steps are being taken to reduce the impact. The company promised to issue a full report once the investigation has been completed.
Second hack
This is the second exploit that this month focuses on Zoth. On March 6, an attacker operated a vulnerability in one of his liquidity pools, in which synthetic assets mine without sufficient collateral and caused a loss of $ 285,000.
Security experts suggest that the infringement could have been prevented with better key management and real -time monitoring. They warn that extra funds can be endangered if other contracts within the platform share the same admin access.
ZOTH did not disclose whether the affected users will reimburse, but said it is committed to strengthening the security measures to prevent future incidents.
The incident emphasizes the ongoing risks that decentralized financial platforms are confronted, in particular those depending on centralized administrator controls. Blockchain security companies have noticed an increase in advanced important compromises, with more than $ 10 billion lost to Defi-related exploits in the past five years.
The company has not commented on how the attacker has obtained the private key, but promised to provide updates as soon as the investigation has been concluded.
