DeFi protocol Zoth has suffered a major security breach after a suspected private key compromise led to the unauthorized withdrawal of more than $8.4 million in crypto currencies.

The incident unfolded when an attacker gained access to the protocol’s deployer wallet and upgraded the USD0PPSubVaultUpgradeable proxy contract to a malicious version. 

This upgrade occurred just 30 minutes before the funds were drained. Once the new contract was in place, the attacker withdrew the funds and quickly swapped them for DAI, a widely-used stablecoin. In a matter of minutes, the stolen assets were converted into 4,223 ETH and moved to another wallet.

Security firm Cyvers was among the first to flag the suspicious transaction, describing the attack as stemming from a compromise of the deployer wallet. The firm traced the sequence of events—from the contract upgrade to the asset withdrawal and subsequent token swaps—raising alarms about vulnerabilities in Zoth’s smart contract upgrade mechanisms.

PeckShield, another prominent blockchain security firm, later confirmed the cause of the exploit to be a private key leakage, which allowed the attacker to gain privileged access and reroute funds out of the protocol.

In the immediate aftermath, Zoth’s website was placed into maintenance mode, further fueling speculation and concern from the community. The project issued a brief security notice, acknowledging the breach and stating that an investigation is underway. 

Zoth said it is actively working with partners to mitigate the impact and promised to share a full post-mortem report once the internal review is complete.

The nature of the attack—specifically the upgrade of a critical proxy contract using a compromised deployer key—has again highlighted the ongoing risks facing DeFi protocols that rely on centralized control over key system functions. 

The ability to push upgrades to smart contracts remains a double-edged sword: useful for bug fixes and improvements, but dangerous when not protected by robust security measures like multisig wallets or time-locked execution.

Zoth has not yet commented on whether affected users will be compensated or whether law enforcement has been engaged to help trace the stolen funds. For now, the exploit stands as one of the more significant breaches of 2025 and adds to a growing list of attacks targeting DeFi platforms.

Users are being advised to avoid interacting with the Zoth protocol until further notice, as investigations continue and the platform assesses the full extent of the damage.