Ethereum real-world asset platform Zoth has suffered an attack that resulted in the loss of $8.85 million. Security experts believe the hack, the second suffered by the company in a month, came about as the result of a private key leak.

On Friday morning, a Zoth proxy contract was upgraded by what security firm Cyvers called a "suspicious address.” Soon thereafter, $8.85 million worth of stablecoin USD0++ was transferred out of the proxy contract into the attackers wallet before all funds were swapped into DAI and moved to another address. The attacker later swapped the stolen funds for 4,223 ETH ($8,300,800).

"Our team is actively investigating the situation alongside our security partners,” a spokesperson for Zoth told Decrypt. “We want to assure you that we are taking every necessary measure to mitigate the impact and resolve the issue.”

A proxy contract is a smart contract that, among other things, forwards calls and funds to other contracts called implementation contracts to facilitate the smooth operation of business—this is very common in the world of DeFi.

In this exploit, it appears the attacker gained access to the private key for the proxy contract which enabled them to update it, changing the implementation contract address to their own wallet. This then allowed for all of the funds from inside the proxy contract to be sent directly to the attacker.

“This type of attack typically occurs when an attacker gains unauthorized access to the private keys controlling a wallet or smart contract, allowing them to transfer funds out of the system,” a spokesperson for PeckShield told Decrypt.

“The attacker gained admin access, likely through a leaked key or exploit,” according to Hakan Unal, Senior Blockchain Scientist at Cyvers. He added that it is likely that Zoth has multiple proxy contracts, such as this contract holding $12.28 million USYCmeaning more funds could also be at risk if they share the same admin access.

Zoth did not comment on how the contract’s private key fell into the hands of the attacker, but told Decrypt that it will release an update once it has finished its investigation. 

Cyvers suggested that setting up real-time monitoring that alerted the company when admin roles or contract upgrades were made could have helped prevent this attack.

This appears to be the second hack to hit the DeFi project in the space of a month, after the project lost $285,000 as the result of a March 6 attack. This came about as a result of an exploit in a liquidity pool that allowed the attacker to mint ZeUSD without depositing sufficient collateral, according to smart contract auditing firm Solidity Scan.

Zoth did not respond to Decrypt’s request for comment on this second attack.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.