Zero-Knowledge Protocol Zerobase Hit by Front-End Compromise, 270+ Users Affected

Over 270 users of the decentralized zero-knowledge proving network Zerobase suffered significant losses after attackers compromised the platform’s web interface, draining more than $240,000 in USDT in a coordinated strike on Friday.

According to chain analysis firm Lookonchain, the unauthorized fund movements began around 2:30 PM UTC as users interacted with what they believed was the legitimate Zerobase interface. The incident reveals a critical vulnerability in how blockchain platforms protect their user-facing applications—the attackers never needed to breach the underlying blockchain infrastructure itself.

How the Front-End Attack Unfolded

The methodology employed in this attack showcases a sophisticated but increasingly common threat vector. Rather than targeting the smart contracts on the blockchain, the bad actors deployed a phishing smart contract on BNB Chain designed to impersonate Zerobase’s legitimate interface. When unsuspecting users connected their wallets through the compromised front-end, they were prompted to approve USDT spending permissions through what appeared to be standard protocol interactions.

The malicious contract, identified by blockchain security platform HashDit as 0x0dd28fd7d343401e46c1af33031b27aed2152396, was engineered to hijack wallet connections and extract approved tokens. Once users granted the necessary permissions, the attackers could siphon funds autonomously without requiring any additional user action or signature. One victim alone lost 123,597 USDT, demonstrating the substantial financial impact per affected account.

Why Front-End Attacks Are Particularly Dangerous

This category of security incident operates at the user interaction layer rather than the smart contract layer, making it substantially more difficult for non-technical users to detect. Attackers manipulate the interface and inject malicious code to intercept transactions or redirect assets after approvals have been granted. The blockchain’s security remains intact, but the user’s direct gateway to that security has been compromised.

Traditional wallet security practices focus on protecting against smart contract exploits, but front-end compromises require a different defensive mindset. Users often lack the technical knowledge to distinguish between a legitimate interface and a convincing phishing replica, particularly when both serve identical purposes and employ similar visual design.

Immediate Response and Mitigation Measures

Zerobase promptly acknowledged the incident through an official announcement, warning users who had interacted with the malicious contract. The protocol implemented automated safeguards specifically designed to protect affected wallet holders. According to Zerobase’s statement: “When you access ZEROBASE Staking, if your wallet is detected to have interacted with this contract, the system will automatically block deposits and withdrawals until the approval to the phishing contract is revoked.”

Lookonchain advised all affected users to conduct an immediate audit of their wallet permissions. Services like revoke.cash enable users to review and revoke any suspicious or unnecessary contract approvals, effectively removing the attacker’s ability to access funds. This preventative measure is essential for anyone who has granted token permissions to unknown or questionable contracts.

Additionally, wallet service providers took action to contain the damage. These platforms blocked the suspected domain hosting the malicious activity and blacklisted the relevant smart contracts to prevent further authorization risks. Affected users received automated alerts within 30 minutes, advising them to review and revoke any approvals connected to the compromised interface.

Broader Security Implications for the Ecosystem

The Zerobase incident underscores a persistent challenge in decentralized finance: the security of blockchain protocols only extends so far when users interact through vulnerable front-end interfaces. As the ecosystem matures, the attack surface has shifted from smart contract vulnerabilities to the more accessible attack vector of compromised web applications.

This pattern reflects an industry-wide reality—protocols must not only secure their on-chain components but also implement robust monitoring and rapid response mechanisms for off-chain threats. The incident also highlights why users should exercise extreme caution when approving token spending permissions, particularly for new or less-established protocols.

Front-end security represents an often-overlooked but critical component of overall platform resilience. As hackers continue to target these interfaces, both protocols and wallet providers must maintain constant vigilance and implement multi-layered detection systems to protect users from sophisticated phishing operations that leverage legitimate-appearing interfaces to extract approvals and drain funds.