zkLend Shuts Down After $9.5 Million Exploit

Decentralized lending protocol zkLend has announced its decision to wind down operations following a significant exploit in February that resulted in a loss of $9.5 million. The protocol, which was based on Starknet, has faced a series of challenges that ultimately led to this decision. The exploit severely impacted user confidence, and the subsequent delisting of zkLend’s ZEND token from major exchanges such as Bybit and KuCoin further exacerbated the situation. This delisting significantly reduced trading volume and made it difficult for users to exit their positions without incurring steep slippage.

The loss of token liquidity and the inability to relaunch the money markets prompted zkLend’s developers to conclude that continuing operations was no longer viable. In a post on X, the zkLend team announced that they would use the remaining $200,000 in their treasury to support affected users through a recovery fund. This decision was made in the interest of using resources more responsibly and meaningfully than attempting to relaunch the protocol.

Users of zkLend have been advised to unstake their funds or file claims through the DeFi Spring and kSTRK portals. The protocol has also retained the services of zeroShadow, a blockchain forensics firm, to track down the stolen assets. Any recovery from this effort will be added to the recovery fund. Additionally, zkLend plans to release its audited and refreshed codebase as open source in the coming weeks, allowing community developers to fork or build upon the existing code.

zkLend was launched on the Starknet mainnet in late 2023 with the aim of providing non-custodial lending and borrowing through yield-optimized money markets. The protocol leveraged zero-knowledge proofs to achieve high throughput and low gas fees. However, on February 11, an attacker exploited a flaw in zkLend’s lending accumulator via flash loans and rounding errors, resulting in the loss of approximately $9.5 million.

The post-mortem analysis by zkLend detailed how the vulnerability allowed the attacker to inflate the protocol’s state and drain deposits rapidly. In the aftermath of the exploit, zkLend offered the attacker a 10% bounty in return for the safe return of the remaining funds. However, the hacker went silent until March 31, when they sent a zero-value on-chain message claiming that 2,930 ETH out of the stolen funds had been lost to a phishing website impersonating Tornado Cash.

Many crypto investigators have expressed skepticism about the hacker’s claim, noting that the transaction used a more shady route to get to Tornado Cash and that the hacker did not mention the phishing website that took the funds. The DeFi community has responded with a mix of sympathy, frustration, and caution. Affected users will continue to monitor zeroShadow’s forensic progress, while the open-source release of zkLend’s audited contracts may pave the way for new projects that incorporate the team’s lessons.