zkLend Halts Operations After $9.5 Million Security Breach

Generated by AI AgentCoin World
Wednesday, Jun 25, 2025 3:40 pm ET1min read
ETH
--

zkLend, a decentralized lending protocol on Starknet, has announced the cessation of its operations following a major security breach that occurred in February. The protocol, which had been operational for four years, declared on June 25 that it will allocate its remaining $200,000 treasury to a recovery fund for users affected by the breach. The exploit, which involved a precision rounding flaw in zkLend’s Starknet contracts, resulted in the loss of approximately 3,300 ETH, valued at around $9.5 million at the time. The attacker bridged the assets to

Ethereum
and routed them through the privacy tool Railgun.

The security breach significantly undermined user confidence, and the subsequent delisting of the ZEND token from major exchanges further compounded the issue. This delisting sharply reduced trading depth and cut off a path to raise fresh liquidity, making a relaunch of the protocol unrealistic. The team at zkLend assessed various recovery options but ultimately decided to focus on compensating users through the recovery pool rather than attempting to rebuild the protocol.

In response to the breach, zkLend offered the exploiter a 10% bounty if 90% of the funds were returned by February 14, threatening legal action if the deadline was not met. However, the funds were never returned, and the protocol halted withdrawals while collaborating with security firm Cyvers, law enforcement agencies, and on-chain investigators. The investigation revealed an unexpected twist on April 1, when zkLend reported that the attacker had lost 2,930 ETH to a phishing site impersonating Tornado Cash. Blockchain analytics firm Lookonchain confirmed the loss, and the attacker sent an on-chain message admitting the mistake and expressing regret.

Despite the setback, zkLend plans to publish its refreshed, audited codebase as open-source in the coming weeks, allowing any developer to build on the framework. The team has also retained security outfit zeroShadow to trace any remaining stolen coins, pledging to route future recoveries to the user fund. zkLend will keep its DeFi Spring, recovery, and kSTRK portals online, enabling users to unstake assets or claim balances. The decision to wind down operations marks the end of zkLend’s four-year run on Starknet and formalizes the shift from rebuilding the protocol to compensating users through the recovery pool.

Security firm zeroShadow remains actively engaged in asset recovery for zkLend. Any recovered funds from the exploit will be directed back to affected users. The firm continues its efforts to trace the stolen assets to ensure user compensation. Potential outcomes from zkLend's wind-down include increased regulatory scrutiny on DeFi security measures. Industry analysts may observe a growing trend in auditing practices as open-source commitments by zkLend send a signal for improved protocol frameworks.