zkLend Confirms $9 Million Hack, Offers Bounty for Stolen Funds

Highlights:

• zkLend lost 3,300 ETH in a hack and halted withdrawals to protect funds.
• The hacker got a deal to keep 10% if they returned the rest before February 14.
• The company will collaborate with security teams to track the stolen assets.

zkLend, a lending protocol on StarkNet, has reported a security breach that resulted in the loss of 3,300 ETH, amounting to approximately $9 million. The platform has blocked withdrawals as a safety measure to prevent more potential risks. zkLend has also initiated an onchain communication with the hacker hoping to retrieve the stolen funds.

To the hacker:

We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C.

Upon… pic.twitter.com/piEVPDHZd4

— zkLend (@zkLend) February 12, 2025

The company offered to pay the hacker 10% of stolen funds as a white hat reward. The company asked the hacker to return 90% of the stolen funds worth approximately $8.4 million and promised not to take any legal action if they returned the funds. The platform stated that, upon receiving the transfer, it would release the attacker from all liability regarding the exploit.

CertiK Alert reported that zkLend experienced multiple attack transactions which led to a loss of approximately $5 million initially. The stolen funds were later bridged to Ethereum using a specific wallet address.

Investigation Underway as zkLend Collaborates with Security Firms

zkLend initiated an investigation to determine how the security breach happened after it occurred. The team suspects that money was drained through a code vulnerability within the smart contract platform. zkLend is working with blockchain analytics groups and security companies to locate the stolen assets.

Companies such as StarkWare, StarkNet Foundation, zeroShadow, Binance Security, and Hypernative Labs are working together to investigate the hack. The team is working to track the movement of the funds and to establish the identity of the person behind the hack.

zkLend has given the hacker a deadline of February 14, 2025, at 00:00 UTC to respond. If the hacker fails to comply, the company will take further action. The protocol has announced that it will team up with legal experts and law enforcement to follow up on the hacker after the deadline. The protocol has assured its users that it is taking all necessary steps to recover the funds and also to improve on security.

After the breach occurred, zkLend instructed users to stop depositing and repaying funds until the problem gets fixed. The company declared that the security of its users’ assets is their top priority. The hack occurred just two weeks after Phemex, a cryptocurrency exchange based in Singapore lost more than $70 million on January 23.

Security Challenges and the Road Ahead for zkLend

The cryptocurrency community is actively tracking the incident while analyzing potential scenarios. Members have noted that the stolen funds remain immobile because StarkNet imposes a 12-hour delay for withdrawals. The period allows procedures for asset tracking, which might lead to their recovery before additional transfers occur.

The stolen funds can't be withdrawn to the mainnet so quickly anyway, and the STARK official bridge withdrawal needs to wait for 12 hours, think about the practice of RHO on the scroll, THE FUNDS must be recovered, if not, it is the project party guarding and stealing

— 零撸砖家 (@bigcockfuckass) February 12, 2025

Members have expressed concerns about system security protocols that existed before the attack. They suspect possible internal involvement if the recovery plans do not succeed. The zkLend team has promised complete accountability as they carry out the investigation. Once the investigation ends, the company will publish a thorough analysis report.