A major security breach has hit ZkLend, a decentralized lending protocol operating on Starknet, with hackers making off with an estimated $9.5 million in stolen funds according to blockchain security firm Cyvers.
In response to the attack on February 12, ZkLend has offered the hacker a deal - return 90% of the funds (approximately 3,300 ETH) and keep 10% as a "whitehat bounty." The protocol set a deadline of February 14, 2025 at 00:00 UTC for the return of assets, promising no legal action if met.
The lending platform verified their communication through their Ethereum ZEND token deployer account and official social media channels. However, they warned of pursuing legal measures and asset tracking if the hacker refuses to comply.
As a precautionary measure, ZkLend has temporarily suspended all withdrawals and advised users against making new deposits or loan repayments. The team is currently working with blockchain security experts and law enforcement to investigate the incident.
According to Cyvers' analysis, the stolen ETH was initially bridged to Ethereum and routed through Railgun, a privacy-focused transaction service. However, due to Railgun's internal policies, the funds were eventually returned to their original address.
This incident adds to mounting security concerns in the cryptocurrency sector. Data from DeFiLlama shows that hackers have already stolen over $100 million from blockchain projects in early 2025, following a devastating $2.2 billion loss across 303 separate incidents in 2024.
The attack on ZkLend highlights the ongoing challenges faced by decentralized finance platforms in maintaining robust security measures against increasingly sophisticated cyber threats.