Decentralised lending protocol zkLend lost over $9 million after a hacker exploited the protocol’s smart contracts.
According to a February 12 announcement, the Starknet-based protocol flagged the security incident earlier today, noting that its internal team was investigating the matter.
In the meantime, zkLend has suspended all withdrawals and launched an investigation in collaboration with multiple security teams, including the Starknet Foundation, StarkWare, Binance Security Team, and Hypernative Labs, alongside law enforcement.
A post-mortem of how the exploit transpired is yet to be published.
Initial estimates from security firm Cyvers put losses at $4.9 million, however in a subsequent update, the firm said total loss exceeded $9 million.
The attacker reportedly bridged the stolen assets to Ethereum and attempted to launder them through the privacy-focused mixing service Railgun.
However, due to Railgun’s internal policies, a portion of the funds were returned to their original address.
Recovery efforts
Besides the ongoing investigations, zkLend has offered the hacker a whitehat bounty.
The project sent an on-chain message to the attacker, proposing they keep 10% of the stolen assets with no legal action if they return the remaining 90%.
With this, zkLend hopes to recover 3,300 ETH or approximately $8.6 million of the lost funds at current market prices.
Such bounties are often offered by victims of exploits in the DeFi sector and, in a few cases, even lead to the recovery of funds.
For instance, after Euler Finance was hacked for $196 million in March 2023, the protocol offered a $1 million bounty on their head; the hacker eventually negotiated with Euler and returned most of the stolen funds.
For the zkLend incident, the hacker has until 00:00 UTC on February 14 to respond, after which the project has vowed to escalate the matter to law enforcement and intensify efforts to track them down.
The second DeFi exploit this week
Today’s exploit marks the second major attack within the DeFi space this week. Just a day prior, BNB chain-based meme coin deployer Four.Meme was exploited, leading to the protocol suspending liquidity pool launches on PancakeSwap.
However, losses from the attack were much less severe, with early estimates claiming roughly $200,0000 worth of BNB tokens were drained.
As previously reported by Invezz, crypto hacks jumped over nine times in January 2025 compared to the previous month. Over $73 million was stolen by bad actors, although the number reflects a 44% drop compared to January 2023.
BNB chain was the most targeted chain, having suffered 10 reported attacks, followed by Ethereum.
The post Starknet-based zkLend suffers exploit, over $9 million drained appeared first on Invezz
