Zoth is also offering a $500,000 bounty for information leading to the identification of the hacker responsible for the exploit.

Zoth, an Ethereum-based platform focused on tokenized real-world assets, suffered a second major security breach in less than three weeks on March 21, with attackers draining $8.85 million in digital assets.
The company confirmed the breach and is working with security experts to investigate the incident.
Zoth is also offering a $500,000 bounty for information leading to the identification of the hacker responsible for the recent $8.85 million exploit.
The hack, which occurred early on March 21, involved the attacker compromising an admin key and gaining control of a Zoth proxy contract. The hacker upgraded the contract, enabling unauthorized fund transfers.
Onchain analysis shows that $8.85 million in USD0++ stablecoins were drained from the contract and converted into 4,223 ETH, which was later moved to an external wallet.
Zoth acknowledged the security breach and assured users that steps are being taken to mitigate the impact. The company pledged to release a full report once its investigation is complete.
This is the second exploit targeting Zoth this month. On March 6, an attacker exploited a vulnerability in one of its liquidity pools, minting synthetic assets without sufficient collateral and causing a $285,000 loss.
Security experts suggest that the breach could have been prevented with better key management and real-time monitoring. They warn that additional funds may be at risk if other contracts within the platform share the same admin access.
Zoth has not disclosed whether it will reimburse affected users but said it remains committed to strengthening security measures to prevent future incidents.
The incident emphasizes the continued risks facing decentralized finance platforms, particularly those reliant on centralized admin controls. Blockchain security firms have noted a rise in sophisticated key compromises, with over $10 billion lost to DeFi-related exploits in the past five years.
The company did not comment on how the attacker may have obtained the private key but pledged to provide updates once the investigation concludes.