On March 21, 2025, the real-world-asset restaking protocol Zoth lost approximately $8.4 million after its deployer/upgrade key was compromised. The attacker pushed a malicious proxy implementation and drained the protocol's USD0++ collateral.
What happened
Zoth's contracts were upgradeable, with upgrade authority on a key that was compromised (vector undisclosed). The attacker performed a proxy upgrade to a malicious implementation, then withdrew the collateral pool (~$8.4M), swapped to ETH, and laundered.
Aftermath
- Zoth paused and pursued recovery; minimal returns.
Why it matters
Zoth is a 2025 instance of the single-key proxy-upgrade compromise that dominates the modern catalogue (Wasabi, Resolv, OKX DEX). RWA/restaking protocols — handling tokenised off-chain value — are increasingly targeted because they accumulate large collateral pools quickly. The defence is unchanged and unchanged-ly ignored: upgrade authority must be multi-sig + timelock, never a single key. 2025-2026's incident frequency is overwhelmingly this one omission, at every protocol scale.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-zoth-hack-march-2025
- [02]crypto.newshttps://crypto.news/crypto-hack-leads-to-8-4m-loss-for-rwa-restaking-protocol-zoth/
- [03]rekt.newshttps://rekt.news/zoth-rekt