Decentralized finance (DeFi) platform zkLend has fallen victim to a major cyberattack, with hackers exploiting a flaw in its smart contract to steal 3,600 Ethereum—worth approximately $9.5 million at the time of the breach.

How the Attack Happened

The breach occurred yesterday afternoon, with zkLend quickly alerting users on X (formerly Twitter) about an ongoing cybersecurity incident. According to the EthSecurity Telegram channel, the attackers exploited a rounding error in zkLend’s smart contract function known as mint().

By manipulating the “lending_accumulator” value to an extremely large number, the hacker was able to repeatedly deposit and withdraw assets in a way that took advantage of the rounding error. This process allowed them to gradually drain funds from the platform while spending minimal amounts in return.


Starkware and Cyvers Respond

Starkware, the team behind the Starknet network, clarified that the vulnerability was not part of Starknet’s core technology but rather a flaw specific to zkLend’s smart contract. Meanwhile, blockchain security firm Cyvers reported that the attackers attempted to launder the stolen crypto through the RailGun privacy protocol. However, due to protocol policies, this attempt was blocked.

zkLend’s Offer to the Hacker

In an unusual move, zkLend has publicly reached out to the hacker with an offer: return 90% of the stolen Ethereum (3,300 ETH), and they can keep the remaining 10% as a “whitehat bounty.” Additionally, zkLend assured the attacker that if they complied, they would face no legal consequences.

READ
Spain Busts €19M Crypto Scam That Used Deepfake Ads and AI Tricks

The message, sent via an on-chain transaction, stated:

“We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty and send back the remaining 90%, or 3,300 ETH, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C.”

“Upon receiving the transfer, we agree to release from any and all liability regarding the attack.”

However, zkLend also issued a stern warning: if the hacker does not respond by 00:00 UTC on February 14, 2025, the company will escalate the matter, involving law enforcement and security firms to track and prosecute those responsible.

So far, there has been no response from the attacker, which is common in these types of breaches. While some hackers in the past have returned stolen funds in exchange for immunity, many simply disappear, laundering their loot through various crypto-mixing services.