DeFi Lending Platform zkLend Drained of $9.5 Million in Exploit

zkLend, a decentralized money lending platform on the Starknet blockchain, has fallen victim to a major exploit, with the hacker draining $9.5 million in crypto assets.

Blockchain security firm Cyvers confirmed that the stolen funds were initially bridged to Ethereum and funneled through the privacy protocol Railgun.

The funds were then redirected to the original address due to the protocol’s internal policies, Cyverse said on Monday.

Following the incident, zkLend paused all withdrawals and advised users to hold off on depositing or repaying loans while they investigated the incident.

The breach has raised alarm bells in the DeFi space, as it comes as a part of growing security concerns within the sector. Cybercriminals have already stolen over $110 million from blockchain projects this year, according to DeFiLlama data.

zkLend reached out to the hacker with an on-chain message offering a 10% “white hat” bounty in exchange for the return of the remaining funds—amounting to 3,300 ETH (roughly $8.78 million).

“Upon receiving the transfer, we agree to release from any and all liability regarding the attack,” the platform informed.

zkLend set a strict deadline of Feb. 14 for the hacker to comply, warning that legal action would be taken if the funds were not returned.

The lending platform said they are already working with law enforcement and several security firms—including StarkWare, Starknet Foundation, Binance Security—to trace the stolen funds and catch the hacker.

“This was one of the biggest hacks on Starknet if not the biggest in recent years,” Preetam Rao, CEO and Co-founder of web security firm QuillAudits, told Decrypt. “Good to see zkLend is being transparent throughout the situation also offered a bounty to the hacker.”

The root cause of the hack doesn’t seem to be in the proof system, but rather in the contract logic,” Rao said, noting his team is reviewing the incident to prevent similar issues in other protocols.

Speaking to Decrypt, Meir Dolev, Co-founder and CTO of Cyvers, noted: “This incident highlights security risks in DeFi lending and raises concerns about the safety of protocols on Starknet’s zero-knowledge rollup infrastructure.”

Unlike traditional coin mixers such as Tornado Cash, which pools and redistribute funds to obscure their origin, the zkLend hackers used Railgun which integrates privacy features directly into DeFi applications, ensuring users’ anonymity while interacting with the blockchain.

“We are committed to full transparency and will share a comprehensive post-mortem analysis as soon as it is completed,” the team tweeted, urging users to remain patient as they work through the incident.

At the Web3 Summit 2024, ImmuneFi founder Mitchell Amador shared his thoughts with Decrypt, calling DeFi hacking “an infinitely sustainable and viable business.” But he added that the crypto space is “unquestionably” getting safer.

DeFi hackers, he said, were “looking for more damage, more than ever—and their skills are also applicable in a number of different areas.”

Edited by Stacy Elliott.