Starknet-based lending protocol zkLend has suffered a $9.5 million exploit. This is the protocol’s first significant setback, as it has been gaining traction since its launch in 2022.
Notably, the protocol claims to have undergone audits by security firms, including ABDK Consulting and Nethermind, to ensure the security of its smart contracts. Despite these security measures, the hack was successfully executed.
zkLend Suffers $9.5 Million Exploit
On-chain analytics platform DeFiLlama classifies the zkLend exploit as a “Protocol Logic” attack. The label hints that the hacker exploited a flaw in the smart contract’s core functionality rather than using phishing, private key leaks, or governance attacks.
Upon successful hacking, the attacker transferred the stolen funds to Ethereum and funneled them through a privacy-focused mixer, Railgun (a typical hacker move). Surprisingly, Railgun’s internal policies led to the stolen funds being returned to the attacker’s address, preventing immediate laundering.
In response to the attack, zkLend sent an on-chain message to the hacker, offering a whitehat bounty if 3,300 ETH ($8.6 million) is returned. The message, signed from the Ethereum ZEND token deployer account, stated:
“You may keep 10% of the funds as a whitehat bounty and send back the remaining 90%, or 3,300 ETH… Upon receiving the transfer, we agree to release you from any and all liability regarding the attack.”
The protocol also warned the attacker that it is working with security firms and law enforcement, giving a deadline of February 14 to return the funds before legal action.
zkLend Assures Users
Claiming to protect users, zkLend paused withdrawals and advised users not to deposit or repay funds while the investigation was ongoing. It said:
“We are committed to full transparency and will share a comprehensive post-mortem analysis. Your trust remains our highest priority, and we appreciate your patience and support as we resolve this issue.”
The team further claims it has partnered with StarkWare, Starknet Foundation, ZeroShadow (formerly Chainalysis Incident Response), Binance Security Team, and Hypernative Labs to track the stolen funds and identify the hacker.
Meanwhile, following the exploit, the protocol’s governance token, ZEND, plunged over 13%, reflecting investor concerns over security vulnerabilities and the platform’s stability. The attacker has yet to respond to the on-chain bounty message, and no funds have been reverted since then.
