Skip to main content
Sign in
Zoth Protocol7 decisions on this page

Audit log

Every state-changing event for Zoth Protocol: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-01 17:49:58Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,640,548
    sig
    55vVxPA4QPfk…xz4pYnwNexplorer ↗
    hash
    BGsQfKRY2NTk…jGV7pYUGsha256 → base58
    verifying row…full verify ↗
    canonical bytes (17773 B) ▸
    {"actor":"system:backfill","investigation_id":"4a736de8-81d9-4b63-944d-32ddd8b0ff17","kind":"publish","page_slug":"zoth-protocol","published_at":"2026-06-01T17:49:58.512Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Zoth Protocol","sections":[{"content":"On March 21, 2025, at approximately 08:46 UTC, an attacker who had obtained control of Zoth's deployer wallet (0x3604582f56565d7060d73829ffb9ebd579218dca) executed the upgradeToAndCall function on the USD0PPSubVaultUpgradeable proxy contract (0x82f3a0392F58C50fa90542519832471BaE93e43e), replacing the legitimate implementation with a malicious contract deployed at 0xc89d7894341e13d5067d003af5346b257d861f56. One minute later, the attacker used the new implementation to withdraw 8,851,750.37 USD0++ tokens, valued at approximately $8.4 million. The stolen tokens were swapped into DAI via CowSwap and subsequently converted to ETH via Uniswap V2, with final holdings consolidated in a secondary attacker wallet at 0x7b0cd0D83565aDbB57585d0265b7D15d6D9f60cf. On-chain evidence indicates the attacker funded a preparation wallet with 0.54 ETH through ChangeNOW as early as March 14-15, and executed a failed proxy upgrade attempt on March 20 before succeeding on March 21. The deployer address controlled the proxy's upgrade mechanism through a single externally owned account (EOA) with no multi-signature or timelocked governance safeguard, constituting a critical single point of failure.","heading":"March 21, 2025 Deployer-Key Compromise and Proxy Upgrade Attack","severity":"critical","sources":[{"credibility":2,"name":"Explained: The Zoth Hack (March 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-zoth-hack-march-2025"},{"credibility":2,"name":"Zoth Vault Breach: Admin Key Exploit Analysis — Blockscope Research","type":"research","url":"https://research.blockscope.co/zoth-vault-breach"},{"credibility":2,"name":"How Did Zoth Lose $8.4M Due to Access Control? — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/zoth-loose-8.4m-dollar-due-to-access-control"},{"credibility":2,"name":"Hacker Steals $8.4M from RWA Restaking Protocol Zoth — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/zoth-exploit-admin-leak-causes-8m-losses"},{"credibility":2,"name":"Zoth — Rekt News","type":"research","url":"https://rekt.news/zoth-rekt"}]},{"content":"Three weeks before the larger breach, on March 1, 2025, Zoth suffered a separate $285,000 exploit targeting a logic flaw in the LTV (Loan-to-Value) validation inside the mintWithStable() function of the ZeUSD contract. An attacker manipulated a Uniswap V3 liquidity pool to cause the protocol to incorrectly record receipt of approximately 330,979 collateral tokens that were never actually deposited. With the system treating the position as fully collateralized, the attacker minted a disproportionate quantity of ZeUSD and subsequently burned it to withdraw the phantom collateral, netting $285,000. Security researchers noted that this vulnerability had been flagged in a prior audit, raising questions about the protocol's remediation process between audit and deployment.","heading":"March 1, 2025 Initial Exploit — LTV Logic Flaw ($285,000)","severity":"high","sources":[{"credibility":2,"name":"Anatomy of a Hack: How a Simple Logic Flaw Led to a $285k Exploit on Zoth — Verichains Blog","type":"research","url":"https://blog.verichains.io/p/anatomy-of-a-hack-how-a-simple-logic"},{"credibility":2,"name":"Zoth Hacked for Nearly $8.3 Million, Second Theft in Two Weeks — Web3 Is Going Great","type":"news","url":"https://www.web3isgoinggreat.com/?id=zoth-hack-2"},{"credibility":2,"name":"Explained: The Zoth Hack (March 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-zoth-hack-march-2025"}]},{"content":"Security analysts identified the root cause of the March 21 attack as the protocol's reliance on a single EOA deployer wallet to control proxy upgrade rights, with no multi-signature requirement, no timelock, and no on-chain governance process gating contract upgrades. This architecture meant that compromising one private key was sufficient to replace the entire contract logic and drain user funds. The precise method by which the deployer key was obtained is not publicly confirmed as of the date of this report; analysts have noted the pattern is consistent with phishing, social engineering, or insider access, but Zoth has not disclosed the confirmed attack vector for the key compromise. The attacker's preparation timeline — funding wallets via ChangeNOW and making a failed upgrade attempt on March 20 — suggests deliberate targeting rather than opportunistic scanning.","heading":"Root Cause: Single-Key Deployer Privilege and Absent Upgrade Governance","severity":"critical","sources":[{"credibility":2,"name":"Zoth Vault Breach: Admin Key Exploit Analysis — Blockscope Research","type":"research","url":"https://research.blockscope.co/zoth-vault-breach"},{"credibility":2,"name":"How Did Zoth Lose $8.4M Due to Access Control? — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/zoth-loose-8.4m-dollar-due-to-access-control"},{"credibility":2,"name":"Explained: The Zoth Hack (March 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-zoth-hack-march-2025"}]},{"content":"Following the March 21 breach, Zoth publicly acknowledged the incident and stated it was actively investigating. Asset issuer partners cooperated to freeze or lock approximately 73% of the protocol's TVL, limiting additional exposure. Zoth engaged Crystal Blockchain BV to assist with blockchain forensics and asset tracing. A $500,000 public bounty was launched through Securr, offering 10% of recovered funds to any party providing actionable information leading to asset recovery. A subsequent protocol update disclosed that no significant changes in fund movements had been observed and that tracking and investigation remained ongoing. As of the date of this report, no public confirmation of recovered funds has been issued.","heading":"Fund Recovery and Incident Response","severity":"high","sources":[{"credibility":3,"name":"Zoth Engages Crystal Blockchain BV for Asset Recovery Post-Theft — Coincu via BitcoinEthereumNews","type":"news","url":"https://bitcoinethereumnews.com/blockchain/zoth-engages-crystal-blockchain-bv-for-asset-recovery-post-theft-coincu/"},{"credibility":3,"name":"RWA Restaking Protocol Zoth Offers $500K Bounty After $8.4M Hack — CryptoTVPlus","type":"news","url":"https://cryptotvplus.com/2025/03/rwa-restaking-protocol-zoth-offers-500k-bounty-after-8-4m-hack/"},{"credibility":3,"name":"ZOTH Progress Update on Hacking Incident — Bitget News","type":"news","url":"https://www.bitget.com/news/detail/12560604674255"},{"credibility":2,"name":"Zoth — Rekt News","type":"research","url":"https://rekt.news/zoth-rekt"}]},{"content":"In a press release issued after the incident, Zoth announced a multi-part recovery and security overhaul. User compensation was structured as a combination of stable asset payments covering principal losses, vested $ZOTH tokens drawn from contributor and ecosystem reserves, and active discussions with a liquid fund to facilitate redemptions; the protocol reported over 80% user retention following this approach. On the security side, the team committed to implementing AI-powered real-time monitoring, independent smart contract audits, a public bug bounty program, open-sourced infrastructure, and enhanced governance mechanisms requiring multiple signers for future upgrades. Zoth also announced a $15 million strategic token commitment from Bolts Capital as a signal of continued institutional backing. Co-founder Pritam Dutta stated the team chose to rebuild rather than abandon the protocol, and co-founder Koushik Bhargav emphasized the project's mandate as public goods infrastructure for RWAs.","heading":"Post-Incident Security Overhaul and Compensation Program","severity":"medium","sources":[{"credibility":2,"name":"Zoth's Next Chapter: Advancing Secure, Scalable RWA Infrastructure — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/zoths-next-chapter-advancing-secure-scalable-rwa-infrastructure-302450470.html"}]},{"content":"Zoth Protocol is a decentralized infrastructure platform focused on tokenizing and providing on-chain settlement for real-world assets including treasury bills and sovereign debt instruments. The protocol's flagship product, ZeUSD, is a yield-bearing stablecoin backed by tokenized RWAs. The restaking layer allows holders to re-stake tokenized assets to earn additional yield, a model the protocol marketed as bridging traditional finance and DeFi. The company is registered in Panama and operates with a regulated SPV structure in Luxembourg and an Invoice Forfaiting License in the UAE. It raised $4 million in a funding round to launch its tokenized liquid note product. The founding team previously built a fintech venture with reported $300 million AUM at AB InBev, serving enterprise clients including Budweiser and Emirates Group. Zoth was founded in January 2023.","heading":"Business Model: RWA Tokenization and Restaking","severity":"low","sources":[{"credibility":2,"name":"RWA Startup Zoth Raises $4M to Launch Tokenized Liquid Note — Crypto.news","type":"news","url":"https://crypto.news/rwa-startup-zoth-raises-4m-to-launch-tokenized-liquid-note/"},{"credibility":1,"name":"Zoth | Stablecoin Neobank for Next Era of Finance — Official Website","type":"official","url":"https://zoth.io/"},{"credibility":3,"name":"Pritam Dutta — CEO & Founder at Zoth.io | The Org","type":"other","url":"https://theorg.com/org/zoth-io/org-chart/pritam-dutta"}]},{"content":"The Zoth incident has been cited by multiple security researchers as a case study in the systemic risks of upgradeable proxy contracts controlled by single EOA keys. In the broader DeFi context, access-control failures of this type accounted for a significant share of losses in Q1 2025. For RWA protocols specifically, the risk profile is heightened because the assets backing on-chain instruments include off-chain counterparties and regulated structures, meaning a smart contract exploit can simultaneously impair both on-chain token holders and off-chain asset redemption processes. Security auditors including Halborn, QuillAudits, and Blockscope have used the Zoth incident to advocate for mandatory multi-signature governance over proxy upgrade functions, timelocked upgrades with community veto windows, and operational security practices (hardware security modules, compartmentalized key custody) for privileged protocol addresses.","heading":"Proxy Upgrade Security Implications for RWA Protocols","severity":"high","sources":[{"credibility":2,"name":"Explained: The Zoth Hack (March 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-zoth-hack-march-2025"},{"credibility":2,"name":"Unpacking $1.7B of DeFi Exploits: What Went Wrong in Q1 2025? — Guardrail","type":"research","url":"https://www.guardrail.ai/blog/unpacking-defi-exploits-what-went-wrong-in-q1-2025"},{"credibility":2,"name":"How Did Zoth Lose $8.4M Due to Access Control? — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/zoth-loose-8.4m-dollar-due-to-access-control"}]}],"sources_used":[{"name":"Explained: The Zoth Hack (March 2025) — Halborn Security","type":"research","url":"https://www.halborn.com/blog/post/explained-the-zoth-hack-march-2025"},{"name":"Zoth Vault Breach: Admin Key Exploit Analysis — Blockscope Research","type":"research","url":"https://research.blockscope.co/zoth-vault-breach"},{"name":"How Did Zoth Lose $8.4M Due to Access Control? — QuillAudits","type":"research","url":"https://www.quillaudits.com/blog/hack-analysis/zoth-loose-8.4m-dollar-due-to-access-control"},{"name":"Zoth — Rekt News","type":"research","url":"https://rekt.news/zoth-rekt"},{"name":"Hacker Steals $8.4M from RWA Restaking Protocol Zoth — CoinTelegraph","type":"news","url":"https://cointelegraph.com/news/zoth-exploit-admin-leak-causes-8m-losses"},{"name":"Anatomy of a Hack: How a Simple Logic Flaw Led to a $285k Exploit on Zoth — Verichains Blog","type":"research","url":"https://blog.verichains.io/p/anatomy-of-a-hack-how-a-simple-logic"},{"name":"Zoth's Next Chapter: Advancing Secure, Scalable RWA Infrastructure — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/zoths-next-chapter-advancing-secure-scalable-rwa-infrastructure-302450470.html"},{"name":"Zoth Engages Crystal Blockchain BV for Asset Recovery Post-Theft — Coincu","type":"news","url":"https://bitcoinethereumnews.com/blockchain/zoth-engages-crystal-blockchain-bv-for-asset-recovery-post-theft-coincu/"},{"name":"RWA Restaking Protocol Zoth Offers $500K Bounty After $8.4M Hack — CryptoTVPlus","type":"news","url":"https://cryptotvplus.com/2025/03/rwa-restaking-protocol-zoth-offers-500k-bounty-after-8-4m-hack/"},{"name":"ZOTH Progress Update on Hacking Incident — Bitget News","type":"news","url":"https://www.bitget.com/news/detail/12560604674255"},{"name":"Unpacking $1.7B of DeFi Exploits: What Went Wrong in Q1 2025? — Guardrail","type":"research","url":"https://www.guardrail.ai/blog/unpacking-defi-exploits-what-went-wrong-in-q1-2025"},{"name":"RWA Startup Zoth Raises $4M to Launch Tokenized Liquid Note — Crypto.news","type":"news","url":"https://crypto.news/rwa-startup-zoth-raises-4m-to-launch-tokenized-liquid-note/"},{"name":"Zoth | Stablecoin Neobank for Next Era of Finance — Official Website","type":"official","url":"https://zoth.io/"},{"name":"Pritam Dutta — CEO & Founder at Zoth.io | The Org","type":"other","url":"https://theorg.com/org/zoth-io/org-chart/pritam-dutta"},{"name":"Zoth on Lazarus.day incident tracker","type":"research","url":"https://lazarus.day/incidents/zoth"}],"summary":"Zoth Protocol is an Ethereum-based real-world asset (RWA) re-staking and tokenization platform founded in 2023 by Pritam Dutta and Koushik Bhargav. In March 2025 the protocol suffered two separate security incidents within three weeks: an initial $285,000 logic-flaw exploit on March 1 and a far more damaging $8.4 million deployer-key compromise on March 21 that enabled a malicious proxy contract upgrade. The protocol has since launched a user compensation program, engaged Crystal Blockchain BV for fund recovery, and announced a security overhaul backed by a $15 million strategic token commitment from Bolts Capital.","timeline":[{"date":"2023-01-01","event":"Zoth Protocol founded by Pritam Dutta and Koushik Bhargav.","source":"Tracxn / The Org","source_url":"https://theorg.com/org/zoth-io/org-chart/pritam-dutta"},{"date":"2025-03-01","event":"First exploit: attacker manipulates Uniswap V3 liquidity pool to exploit LTV logic flaw in mintWithStable(), draining $285,000 from the ZeUSD contract.","source":"Verichains Blog","source_url":"https://blog.verichains.io/p/anatomy-of-a-hack-how-a-simple-logic"},{"date":"2025-03-14","event":"Attacker funds a preparation wallet with 0.54 ETH via ChangeNOW and deploys a malicious smart contract, suggesting deliberate pre-attack staging.","source":"QuillAudits Hack Analysis","source_url":"https://www.quillaudits.com/blog/hack-analysis/zoth-loose-8.4m-dollar-due-to-access-control"},{"date":"2025-03-20","event":"Attacker makes a failed attempt to upgrade the USD0PPSubVaultUpgradeable proxy contract, one day before the successful exploit.","source":"QuillAudits Hack Analysis","source_url":"https://www.quillaudits.com/blog/hack-analysis/zoth-loose-8.4m-dollar-due-to-access-control"},{"date":"2025-03-21","event":"08:46 UTC: Attacker uses compromised deployer wallet (0x3604582f...218dca) to call upgradeToAndCall on the USD0PPSubVaultUpgradeable proxy, installing malicious implementation at 0xc89d7894...861f56.","source":"Blockscope Research","source_url":"https://research.blockscope.co/zoth-vault-breach"},{"date":"2025-03-21","event":"08:47 UTC: Attacker withdraws 8,851,750.37 USD0++ tokens (~$8.4M) from the now-controlled vault. Tokens swapped to DAI via CowSwap, then converted to ETH via Uniswap V2.","source":"Blockscope Research","source_url":"https://research.blockscope.co/zoth-vault-breach"},{"date":"2025-03-21","event":"Zoth publicly acknowledges the breach, states it is actively investigating and taking necessary steps.","source":"Rekt News","source_url":"https://rekt.news/zoth-rekt"},{"date":"2025-03-21","event":"Asset issuer partners cooperate to freeze or lock approximately 73% of the protocol's TVL.","source":"Rekt News","source_url":"https://rekt.news/zoth-rekt"},{"date":"2025-03-25","event":"Stolen funds reported consolidated in attacker wallets; Crystal Blockchain BV engaged for asset tracing. $500,000 public bounty launched via Securr.","source":"CryptoTVPlus / BitcoinEthereumNews","source_url":"https://cryptotvplus.com/2025/03/rwa-restaking-protocol-zoth-offers-500k-bounty-after-8-4m-hack/"},{"date":"2025-04-01","event":"Zoth releases progress update: no significant changes in fund movements observed; tracking and investigation ongoing.","source":"Bitget News","source_url":"https://www.bitget.com/news/detail/12560604674255"},{"date":"2025-04-01","event":"Zoth announces 'Next Chapter' press release: $15M strategic token commitment from Bolts Capital, user compensation program, and phased ZeUSD relaunch with enhanced security measures.","source":"PR Newswire","source_url":"https://www.prnewswire.com/news-releases/zoths-next-chapter-advancing-secure-scalable-rwa-infrastructure-302450470.html"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 76af9606-e3d6-497b-9dcf-22f824e0a2e0
  2. #2reviewby reviewerreviewer
    2026-06-02 19:18:13Z
    Score: 2828 (no score change)
    The core technical facts of the March 21, 2025 exploit — amounts, addresses, swap routes, and timeline — are well-supported by multiple independent security research sources. The principal accuracy problems are: (1) the timeline entry dating the PR Newswire press release to April 1, 2025 when the cited source is dated May 9, 2025; (2) the unsubstantiated claim that the March 1 LTV vulnerability was flagged in a prior audit, which no cited or independently discoverable source supports; (3) three cited URLs that are inaccessible (CoinTelegraph 404, Bitget 403, BitcoinEthereumNews 403); and (4) the 'March 14-15 ChangeNOW funding' framing, which conflates the March 14 ETH funding event with the March 15 malicious contract deployment. The business model section contains several unverified regulatory jurisdiction claims (Panama, Luxembourg, UAE) that lack any cited third-party confirmation.
    anchoranchored
    chain
    mainnet-betaslot 423,871,402
    sig
    5HZDzBuNk8cW…ymd7bH85explorer ↗
    hash
    7fqAJLMrJtqr…pJaP7ipfsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1246 B) ▸
    {"actor":"reviewer","decided_at":"2026-06-02T19:18:13.235Z","decision":"review","investigation_id":"4a736de8-81d9-4b63-944d-32ddd8b0ff17","new_score":28,"page_slug":"zoth-protocol","prev_score":28,"reason":"The core technical facts of the March 21, 2025 exploit — amounts, addresses, swap routes, and timeline — are well-supported by multiple independent security research sources. The principal accuracy problems are: (1) the timeline entry dating the PR Newswire press release to April 1, 2025 when the cited source is dated May 9, 2025; (2) the unsubstantiated claim that the March 1 LTV vulnerability was flagged in a prior audit, which no cited or independently discoverable source supports; (3) three cited URLs that are inaccessible (CoinTelegraph 404, Bitget 403, BitcoinEthereumNews 403); and (4) the 'March 14-15 ChangeNOW funding' framing, which conflates the March 14 ETH funding event with the March 15 malicious contract deployment. The business model section contains several unverified regulatory jurisdiction claims (Panama, Luxembourg, UAE) that lack any cited third-party confirmation.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision e651c208-45a0-4d05-be4f-3e93677bd3d6
  3. #3review reviseby judgejudge
    2026-06-02 19:18:13Z
    Score: 2818 (-10)
    The core technical record of the March 21 exploit — addresses, token amounts, timestamps, and swap routes — is well-supported by multiple independent Tier 2 security research sources and does not require correction. However, the review identified four issues requiring revision: (1) claim_findings[25] (timeline[10]) is directly disputed — the PR Newswire 'Next Chapter' press release is dated May 9, 2025, not April 1, 2025 as stated in the timeline; (2) claim_findings[15] asserts that the March 1 LTV vulnerability was flagged in a prior audit, but no cited or independently discoverable source supports this claim — the page's own cited source (Verichains) does not say this, making it unverifiable and potentially false; (3) three cited URLs are inaccessible due to link rot (CoinTelegraph 404, Bitget 403, BitcoinEthereumNews 403), including a Tier 2 source in the critical exploit section; and (4) regulatory jurisdiction claims (Panama registration, Luxembourg SPV, UAE license) in the business model section lack any third-party confirmation. Two high-priority coverage gaps — absent on-chain transaction links and unconfirmed audit history — further support a revision rather than approval. Reviewer confidence of 0.78 supports a measured penalty within the minor-issues band.
    anchoranchored
    chain
    mainnet-betaslot 423,871,405
    sig
    3vcWiekd63oU…X6JA6wF9explorer ↗
    hash
    Cv4rUrtPexs2…NBRzaEtesha256 → base58
    verifying row…full verify ↗
    canonical bytes (1641 B) ▸
    {"actor":"judge","decided_at":"2026-06-02T19:18:13.235Z","decision":"review_revise","investigation_id":"4a736de8-81d9-4b63-944d-32ddd8b0ff17","new_score":18,"page_slug":"zoth-protocol","prev_score":28,"reason":"The core technical record of the March 21 exploit — addresses, token amounts, timestamps, and swap routes — is well-supported by multiple independent Tier 2 security research sources and does not require correction. However, the review identified four issues requiring revision: (1) claim_findings[25] (timeline[10]) is directly disputed — the PR Newswire 'Next Chapter' press release is dated May 9, 2025, not April 1, 2025 as stated in the timeline; (2) claim_findings[15] asserts that the March 1 LTV vulnerability was flagged in a prior audit, but no cited or independently discoverable source supports this claim — the page's own cited source (Verichains) does not say this, making it unverifiable and potentially false; (3) three cited URLs are inaccessible due to link rot (CoinTelegraph 404, Bitget 403, BitcoinEthereumNews 403), including a Tier 2 source in the critical exploit section; and (4) regulatory jurisdiction claims (Panama registration, Luxembourg SPV, UAE license) in the business model section lack any third-party confirmation. Two high-priority coverage gaps — absent on-chain transaction links and unconfirmed audit history — further support a revision rather than approval. Reviewer confidence of 0.78 supports a measured penalty within the minor-issues band.","score_delta":-10,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 84495cbc-fd4c-4454-8e78-70be807230ec
  4. #4reviewby reviewerreviewer
    2026-06-02 19:49:55Z
    Score: 1818 (no score change)
    The investigation page is largely accurate: the core facts of both March 2025 exploits (dates, loss amounts, on-chain addresses, attack mechanics, fund flow) are well-supported across multiple independent security research sources. The primary weaknesses are: (1) the claim that the LTV vulnerability was flagged in a prior audit is unverifiable from any consulted source; (2) the timeline's April 1, 2025 date for the 'Next Chapter' press release is incorrect — that release is dated May 9, 2025 and the Bolts Capital formal announcement is August 2025; (3) the fund conversion path description slightly oversimplifies a multi-protocol swap. No claims are actively contradicted by a more credible source. One cited URL (bitcoinethereumnews.com) returned HTTP 403, but the claims it supports are corroborated by Rekt News.
    anchoranchored
    chain
    mainnet-betaslot 423,876,165
    sig
    4rFwwB1eeRsz…4SVSLFFaexplorer ↗
    hash
    8XZfPRw6AYp9…22fPtU96sha256 → base58
    verifying row…full verify ↗
    canonical bytes (1171 B) ▸
    {"actor":"reviewer","decided_at":"2026-06-02T19:49:54.885Z","decision":"review","investigation_id":"4a736de8-81d9-4b63-944d-32ddd8b0ff17","new_score":18,"page_slug":"zoth-protocol","prev_score":18,"reason":"The investigation page is largely accurate: the core facts of both March 2025 exploits (dates, loss amounts, on-chain addresses, attack mechanics, fund flow) are well-supported across multiple independent security research sources. The primary weaknesses are: (1) the claim that the LTV vulnerability was flagged in a prior audit is unverifiable from any consulted source; (2) the timeline's April 1, 2025 date for the 'Next Chapter' press release is incorrect — that release is dated May 9, 2025 and the Bolts Capital formal announcement is August 2025; (3) the fund conversion path description slightly oversimplifies a multi-protocol swap. No claims are actively contradicted by a more credible source. One cited URL (bitcoinethereumnews.com) returned HTTP 403, but the claims it supports are corroborated by Rekt News.","score_delta":0,"sequence_num":4,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision a7e4c47d-5d71-4136-8823-1f7a2a10ec5f
  5. #5review reviseby judgejudge
    2026-06-02 19:49:55Z
    Score: 188 (-10)
    The core facts of both March 2025 exploits — loss amounts, on-chain addresses, attack mechanics, and fund flows — are well-confirmed by multiple independent Tier 2 security research sources, and zero claims are actively contradicted by a more credible source. However, the reviewer identified several issues requiring correction: claim_findings[25] (timeline entry 11) places the 'Next Chapter' press release on April 1, 2025, but the PR Newswire release is dated May 9, 2025, making this a material date error in the timeline; claim_findings[16] (Bolts Capital $15M) is partially supported but its April 1 timeline placement is similarly unsupported — the formal announcement did not occur until August 2025. Additionally, claim_findings[11] (LTV vulnerability flagged in a prior audit) is unverifiable from any consulted source, including the primary cited Verichains article. Two high-priority coverage gaps — the page is effectively 14 months stale with no events past April 2025, and the pre-incident audit history is absent — further support a revision rather than approval.
    anchoranchored
    chain
    mainnet-betaslot 423,876,168
    sig
    2sPxeB1kcpjX…z7jpNVMNexplorer ↗
    hash
    6ewS2ozXtsjc…N7Bg2Bxwsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1434 B) ▸
    {"actor":"judge","decided_at":"2026-06-02T19:49:54.885Z","decision":"review_revise","investigation_id":"4a736de8-81d9-4b63-944d-32ddd8b0ff17","new_score":8,"page_slug":"zoth-protocol","prev_score":18,"reason":"The core facts of both March 2025 exploits — loss amounts, on-chain addresses, attack mechanics, and fund flows — are well-confirmed by multiple independent Tier 2 security research sources, and zero claims are actively contradicted by a more credible source. However, the reviewer identified several issues requiring correction: claim_findings[25] (timeline entry 11) places the 'Next Chapter' press release on April 1, 2025, but the PR Newswire release is dated May 9, 2025, making this a material date error in the timeline; claim_findings[16] (Bolts Capital $15M) is partially supported but its April 1 timeline placement is similarly unsupported — the formal announcement did not occur until August 2025. Additionally, claim_findings[11] (LTV vulnerability flagged in a prior audit) is unverifiable from any consulted source, including the primary cited Verichains article. Two high-priority coverage gaps — the page is effectively 14 months stale with no events past April 2025, and the pre-incident audit history is absent — further support a revision rather than approval.","score_delta":-10,"sequence_num":5,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision b4986e17-9088-4aaf-89da-25c6d9d3c755
  6. #6reviewby reviewerreviewer
    2026-06-04 00:32:18Z
    Score: 88 (no score change)
    The Zoth Protocol investigation is well-supported on its core factual claims — exploit amounts, technical attack mechanics, wallet addresses, timestamps, and incident response measures are corroborated by multiple independent security research sources. The five partially-supported claims reflect precision issues (imprecise phrasing on collateral deposits, Bolts Capital announcement timing, minor regulatory details) rather than material falsehoods. The two unverifiable claims concern self-reported founder background data and an audit-flagging assertion that no cited source actually confirms. No claims were found to be outright disputed by credible sources.
    anchoranchored
    chain
    mainnet-betaslot 424,135,744
    sig
    3xNdQT4dJ4ko…LvDKgCJiexplorer ↗
    hash
    9FiFUH3WP18d…NAUMJvKvsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1010 B) ▸
    {"actor":"reviewer","decided_at":"2026-06-04T00:32:18.346Z","decision":"review","investigation_id":"4a736de8-81d9-4b63-944d-32ddd8b0ff17","new_score":8,"page_slug":"zoth-protocol","prev_score":8,"reason":"The Zoth Protocol investigation is well-supported on its core factual claims — exploit amounts, technical attack mechanics, wallet addresses, timestamps, and incident response measures are corroborated by multiple independent security research sources. The five partially-supported claims reflect precision issues (imprecise phrasing on collateral deposits, Bolts Capital announcement timing, minor regulatory details) rather than material falsehoods. The two unverifiable claims concern self-reported founder background data and an audit-flagging assertion that no cited source actually confirms. No claims were found to be outright disputed by credible sources.","score_delta":0,"sequence_num":6,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 68608e9a-196b-4096-ba9b-0a41eb549d5e
  7. #7review approveby judgejudge
    2026-06-04 00:32:18Z
    Score: 88 (no score change)
    The reviewer found zero disputed claims across 22 checked items, with all core allegations — exploit amounts, wallet addresses, timestamps, attack mechanics, and incident response actions — confirmed by multiple independent Tier 2 security sources including Halborn, Blockscope, QuillAudits, and Rekt News. The five partially-supported findings (claim_findings[8], [13], [14], [16], [21]) reflect minor phrasing imprecision and a timeline conflation around the Bolts Capital announcement, not material falsehoods. The two unverifiable claims (claim_findings[9] and [18]) concern peripheral background detail and an unconfirmed prior-audit assertion; no source actively contradicts them, but the audit-flagging claim in sections[1] should be qualified. Two high-priority coverage gaps exist around current attacker wallet status and audit history, but these represent expansion opportunities per review policy rather than factual failures in the current text.
    anchoranchored
    chain
    mainnet-betaslot 424,135,747
    sig
    664DLNYWYPXe…jHZvUNRRexplorer ↗
    hash
    7NZnT795Z4Ef…tvChnK3Hsha256 → base58
    verifying row…full verify ↗
    canonical bytes (1310 B) ▸
    {"actor":"judge","decided_at":"2026-06-04T00:32:18.346Z","decision":"review_approve","investigation_id":"4a736de8-81d9-4b63-944d-32ddd8b0ff17","new_score":8,"page_slug":"zoth-protocol","prev_score":8,"reason":"The reviewer found zero disputed claims across 22 checked items, with all core allegations — exploit amounts, wallet addresses, timestamps, attack mechanics, and incident response actions — confirmed by multiple independent Tier 2 security sources including Halborn, Blockscope, QuillAudits, and Rekt News. The five partially-supported findings (claim_findings[8], [13], [14], [16], [21]) reflect minor phrasing imprecision and a timeline conflation around the Bolts Capital announcement, not material falsehoods. The two unverifiable claims (claim_findings[9] and [18]) concern peripheral background detail and an unconfirmed prior-audit assertion; no source actively contradicts them, but the audit-flagging claim in sections[1] should be qualified. Two high-priority coverage gaps exist around current attacker wallet status and audit history, but these represent expansion opportunities per review policy rather than factual failures in the current text.","score_delta":0,"sequence_num":7,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision f8191944-bf6f-4014-afce-03f490b7278c
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.