zkLend Shuts Down After $9.5 Million Hack, Redirects Funds to Users

Lending protocol zkLend announced on June 25 that it would cease operations and redirect its remaining $200,000 treasury to a fund for users affected by a security breach that occurred in February. The team cited the exploit as having "deeply eroded user confidence," which, combined with the delisting of the ZEND token from major exchanges, led to a significant decline in capital and liquidity necessary for new products.

As zkLend assessed recovery options, the delisting from Bybit and KuCoin sharply reduced trading depth and cut off a path to raise fresh liquidity. The team concluded that these constraints made a relaunch unrealistic. Instead, zkLend will keep its DeFi Spring, recovery, and kSTRK portals online, allowing users to unstake assets or claim balances. The protocol also retained security outfit zeroShadow to trace any remaining stolen coins, pledging to route future recoveries to the user fund.

zkLend plans to publish its refreshed, audited codebase as open-source "in the coming weeks" for any developer who wants to build on the framework. The team added that it will "remain online and committed to the recovery of stolen funds through any means necessary," but will not restart its money-market operations. This decision marks the end of zkLend’s four-year run on Starknet and formalizes the shift from rebuilding the protocol to compensating users through the recovery pool.

On February 12, an attacker exploited a precision rounding flaw in zkLend’s Starknet contracts to drain approximately 3,300 ETH, worth roughly $9.5 million at the time. The exploiter bridged the assets to Ethereum and routed them through the privacy tool Railgun. zkLend offered the exploiter a 10% bounty if 90% of the funds were returned by February 14, warning that it would pursue legal action if the deadline passed. The funds never came back, and the protocol halted withdrawals while it worked with security firm Cyvers, law enforcement agencies, and on-chain investigators.

The investigation produced an unexpected twist on April 1 when zkLend reported that the attacker lost 2,930 ETH to a phishing site impersonating Tornado Cash. Blockchain analytics firm Lookonchain confirmed the loss, and the attacker sent an on-chain message admitting the mistake, stating he lost all the funds. He added: “I’m devastated and sorry.” The breach left users locked out of their deposits, and the protocol’s reputation suffered as a result.