zkLend

zkLend Hack — February 11, 2025

The Exploit

On February 11, 2025, zkLend, a money market protocol on Starknet, was attacked using an empty market exploit, causing the loss of around $9.6 million USD. The exploit was made against the wstETH token that was newly launched on Starknet.

Technical Details

The attacker leveraged flash loans and rounding vulnerabilities to artificially manipulate zkLend's accumulator mechanism. The root cause stemmed from three issues:

1. Empty market initialization allowing arbitrary asset deposits

2. The specific donation mechanism in zkLend's flash loan enabling manipulation of the accumulator

3. Precision loss due to truncation

The attacker leveraged the vulnerabilities to manipulate the collateral balance, using a small amount of wstETH as the initial capital to increase the collateral balance up to over 7,000 wstETH, thereby enabling the borrowing of other assets from the market.

Post-Hack Developments

On February 18, 2025, the attacker returned approximately $3.2 million of the stolen funds after negotiations with the zkLend team.

zkLend shut down operations four months after suffering the exploit that drained around $9.6 million in user funds. Major exchanges Bybit and KuCoin delisted ZEND in recent weeks, slashing trading volume and making it nearly impossible for users to exit positions without steep slippage.

Sources

• https://medium.com/zklend/zklend-security-incident-post-mortem-27d9abaf66f6

• https://www.halborn.com/blog/post/explained-the-zklend-hack-february-2025

• https://blocksec.com/blog/zklend-exploit-post-mortem-unraveling-the-details-and-clarifying-misunderstandings-of-the-10m-flash-loan-attack

• https://slowmist.medium.com/in-depth-analysis-of-zklend-hack-linked-to-eralend-hack-fba4af9b66ef

• https://www.okx.com/learn/zklend-hack-starknet-defi-vulnerabilities

• https://thedefiant.io/news/defi/starknet-based-zklend-shuts-down-amid-fallout-from-usd10-million-exploit

• https://www.badnewsbears.news/articles/zklend-hack.html