Zoth (RWA yield protocol): Admin key compromise → malicious proxy contract upgrade → vault drain

Summary #

Zoth (RWA yield protocol) suffered a RWA / Yield (Real-World Asset protocol) on 2025-03-21, resulting in a loss of approximately $8M.

What happened #

Zoth's $8.4M hack required no smart contract exploit — just a stolen deployer key, a one-line proxy upgrade, and three minutes to drain the vault.

Linked factors #

• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the attacker deployed a malicious implementation contract and upgraded the proxy to it immediately before the drain] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the attacker deployed a malicious implementation contract and upgraded the proxy to it immediately before the drain]
• RD-F-027 — causal : ★ Single admin EOA — when value mentions key compromise [via realtime_signals/Governance/admin action: Y — the malicious proxy upgrade is a critical governance/admin action; any monitor watching for deployer wallet upgrade transactions on prod...]
• RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — the malicious proxy upgrade is a critical governance/admin action; any monitor watching for deployer wallet upgrade transactions on prod...]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Unknown — RWA yield protocol; specific fork status not referenced]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — the attacker deployed a malicious implementation contract and upgraded the proxy to it immediately before the drain]