Extropy Security Bytes: w13 2025
Welcome to this week’s edition of Extropy Security Bytes — your weekly dose of blockchain security insights. This week, we’re looking at multiple high-profile exploits, including Zoth being hacked twice in one month, a devastating attack on Abracadabra.Finance, and a media outlet’s social account being compromised to spread fake news. Let’s dive in.
Zoth hacked twice in one month
Two security breaches occurred on the Ethereum-based real-world asset (RWA) restaking protocol, Zoth this month. Let’s dive in.
First Hack (Early March 2025)
Date: Approximately March 6, 2025.
Loss: Approximately $285,000
Attack Vector: Exploitation of a vulnerability in one of Zoth’s liquidity pools.
Technical Details: The attacker manipulated Uniswap V3 liquidity pools to exploit a logic flaw in the LTV (Loan-to-Value) validation. This allowed the attacker to mint synthetic assets (ZeUSD) without sufficient collateral backing.
Second Hack (March 21, 2025)
Loss: Approximately $8.4 million.
Attack Vector: Compromise of an admin key, leading to unauthorised contract upgrade.
Technical Details:
- The attacker gained control of a Zoth proxy contract by compromising the deployer wallet’s admin key.
- The attacker then maliciously upgraded the contract, enabling unauthorised fund transfers.
- Onchain analysis shows that $8.85 million in USD0++ stablecoins were drained from the contract.
- The stolen funds were subsequently converted into 4,223 ETH and then moved to an external wallet. Some funds were also swapped to DAI stablecoin before being converted to ETH.
- Security experts noted that the attack bypassed standard security mechanisms, giving the attacker immediate full control over user funds.
- The attacker had apparently been planning the attack for weeks, funding wallets and making multiple failed attempts before succeeding.
Zoth has confirmed both breaches, is working with security experts to investigate, and has offered a $500,000 bounty for information leading to the identification of the hacker responsible for the second exploit. They have also pledged to release a full report once their investigation is complete.
Abracadabra
Abracadabra.Finance was hacked on March 26, with a loss of approximately $13 million worth of Ethereum (ETH), equating to 6,260 ETH. Let’s look into it.
Attack Vector: Exploitation of a liquidation loophole within the integration of Abracadabra’s “cauldrons” (lending pools) on GMX V2’s pools.
Technical Details:
- The attackers manipulated the liquidation process using flash loans, which are uncollateralized loans repaid within the same block.
- This manipulation allowed the attackers to exploit a flaw where the protocol failed to correctly track liquidated assets, effectively creating a “phantom collateral position”.
- The borrower in the exploited “cauldron” had no actual collateral, which made the attack possible.
- The exploit transformed failed deposits and self-liquidation into a mechanism for the attackers to profit.
- The security defenses provided by ZeroShadow and HexaGate were bypassed.
- The stolen ETH was initially on Arbitrum before being transferred to Ethereum.
- The exploited cauldron address was 0x625Fe79547828b1B54467E5Ed822a9A8a074bD61.
- The attack transaction was 0xed17089aa6c57b7d5461209e853bdb56bc3460a91805e20d2590609a515ef0b0.
- The attacker’s address was 0xAF9e33Aa03CAaa613c3Ba4221f7EA3eE2AC38649.
Response and Aftermath:
- Abracadabra restricted borrowing across the impacted smart contracts.
- They offered the attackers a bounty of 20% of the stolen funds for their return.
- Abracadabra promised to buy back 6.5 million MIM and cover half of the initial damage.
- They are increasing their security team and implementing invariant testing.
- Decentralized exchange GMX stated that no issues were identified with their contracts.
This incident marks the second major exploit for Abracadabra, following a $6.5 million loss in January 2024 involving their Magic Internet Money (MIM) stablecoin. We did an in-depth analysis of the attack at the time.
SlowMist helps ReachMe patch a vulnerability
The SlowMist investigation team identified a bug on ReachMe, a paid connection platform for reaching Key Opinion Leader (KOL) accounts.
Nature of the Vulnerability: The bug discovered by SlowMist allowed users to send messages to KOLs for a significantly lower fee than intended by ReachMe’s regular fee structure. This would have negatively impacted ReachMe’s revenue model.
Verification by White Hats: A team of white hat hackers successfully tested the bug.
Reporting and Patching: The white hat hackers alerted the ReachMe team about the vulnerability, allowing them to implement a patch. This action by SlowMist and the white hats enabled ReachMe to maintain its intended fee structure.
Watcher Guru X account hacked to spread fake reports
Crypto-focused media outlet Watcher Guru confirmed that its official X (formerly Twitter) account was hacked on March 21. The hackers used the compromised account to post a fake report claiming that Ripple and SWIFT were close to a deal to use XRP in global payment systems. This unauthorised post went live at 2:05 A.M. UTC and falsely stated that billions of XRP had been locked in escrow as liquidity reserves.
The fake news quickly gained attention and caused excitement within the XRP community, with some believing it to be true. Crypto exchange Bitrue even mistakenly shared the false information, further amplifying the confusion.
Shortly after the fake post, Watcher Guru clarified that the information was not from their team and that their X account had been hacked. They stated that the unauthorised post had been deleted.
Watcher Guru reported having two-factor authentication (2FA) enabled on their account and had taken extreme measures to prevent hacks. They also indicated that there were no connected apps or API tokens used to post the false information.
Due to automation, the false report was also shared on Watcher Guru’s other social media accounts, including Telegram, Facebook, and Discord, before the issue was detected.
Watcher Guru mentioned that the attacker had blocked the official X accounts of Ripple and its CEO, Brad Garlinghouse, presumably to slow down a response to the false report. Watcher Guru also stated that they had flagged the link and contacted X’s Head of Cybersecurity, but had not received a reply.
Watcher Guru noted that their breach resembled that of DB News, another crypto media outlet.
At the time of their statement, Watcher Guru had not yet determined the exact source or method behind the hack but confirmed that all unauthorised posts had been removed, and their account had been secured.
That wraps up this week’s Extropy Security Bytes. From multimillion-dollar exploits to social engineering attacks, the importance of security in Web3 has never been clearer. Stay vigilant, stay informed, and we’ll see you next week for more insights into blockchain security.
Since 2017, Extropy has been at the forefront of blockchain security, auditing smart contracts across Ethereum and Zero-Knowledge (ZK) protocols. We have collaborated with leading ecosystems, including Base, Starknet, and MINA, ensuring their smart contracts are resilient, efficient, and secure.
We specialize in DeFi, on-chain games, and ZK applications, leveraging formal verification, static analysis, and deep manual reviews to uncover vulnerabilities before they become exploits. Whether you’re working with Solidity, Rust, Cairo, or zkVMs, our collaborative approach ensures your project meets the highest security standards.
- Website: security.extropy.io
- Email: info@extropy.io
Get in touch today — let’s build safer smart contracts together!
