zkLend, a Starknet-based lending protocol, suffered a significant security breach resulting in over $9 million theft. The platform publicly acknowledged the attack via its X account, issuing an unprecedented appeal directly to the perpetrator.
The appeal offered a 10% “white hat” bounty, requesting the return of the remaining 90% (approximately 3,300 ETH) to a specified Ethereum address (0xCf31e1b97790afD681723fA1398c5eAd9f69B98C.)
zkLend Negotiate with Hackers to Recoup Loss
The platform explicitly stated that it would waive all liability concerning the attack upon receiving the returned funds. However, they imposed a deadline. Failure to comply by 00:00 UTC on February 14th, 2025, would trigger immediate legal action, in collaboration with cybersecurity firms and law enforcement agencies.
Furthermore, this action, undertaken by the Ethereum ZEND token deployer account, carries the weight of a binding agreement, verifiable through cross-referencing with zkLend’s official X account.
To the hacker:
We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C.
Upon… pic.twitter.com/piEVPDHZd4
— zkLend (@zkLend) February 12, 2025
The specifics of the exploit remain under investigation. Preliminary assessments suggest a vulnerability in the smart contract code allowed unauthorized fund transfers, mirroring common patterns in similar DeFi hacks.
zkLend is actively tracking the stolen assets and working diligently to identify the perpetrators, leveraging expertise from various security firms including StarkWare Ltd, Starknet Foundation, zeroshadow.io, Binance Security Team, and Hypernative Labs.
zkLend Suspend all Withdrawals
As a direct consequence of the breach, zkLend temporarily suspended all withdrawal functions to mitigate further risk. This proactive measure aims to prevent any potential escalation of the situation while a thorough investigation unfolds. The platform commits to a transparent process, promising a comprehensive post-mortem report detailing their analysis findings.
Some users on X expressed concern over the feasibility of swiftly moving the stolen funds, given the inherent limitations of the STARK official bridge’s 12-hour withdrawal period, others voiced suspicion regarding potential internal complicity should recovery efforts prove unsuccessful.
Mishael Nwani | April 4, 2025
Chris Lion | April 4, 2025
Jonathan Agozie | April 4, 2025
Faith | April 4, 2025
