Blog

zkLend loses $9.5M in crypto heist, asks hacker to return 90%

4 hours ago
1 minute read

Decentralized money lender zkLend suffered a breach where threat actors exploited a smart contract flaw to steal 3,600 Ethereum, worth $9.5 million at the time.

zkLend is a decentralized money-market protocol built on Starknet, a Layer 2 scaling solution for Ethereum. It enables users to deposit, borrow, and lend various assets.

The attack took place yesterday afternoon, with zkLend warning on X they were suffering a cybersecurity incident.

According to the EthSecurity Telegram channel, the threat actors exploited a rounding error bug in zkLend’s smart contract mint() function.

“The attacker manipulated the “lending_accumulator” to be very large at 4.069297906051644020, then took advantage of the rounding error during ztoken mint() and withdraw() to repeatedly deposit 4.069297906051644021 wstETH getting 2 wei then withdraw 4.069297906051644020*1.5 -1 = 6.103946859077466029 wstETH to expend just 1 wei,” reads a post to the EthSecurity channel.

Starkware, who developed the Starknet network, confirmed that the vulnerability was not part of Starknet technology but rather an application-specific bug.

According to Cyvers, the threat actors attempted to launder the crypto through the RailGun privacy protocol but was blocked due to protocol policies.

zkLend has now issued a message to the hacker stating that if they return 90% of the stolen Ethereum, which is 3,300 ETH, they can keep the other 10% and will not face any liability for the attack.

“We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C,” reads an on-chain message to the hacker.

“Upon receiving the transfer, we agree to release from any and all liability regarding the attack.”

“We are working with security firms and law enforcement at this stage. If we do not hear from you by 00:00 UTC, 14th Feb 2025, we will proceed with the next steps to track and prosecute you.”

zkLend message to hacker

The crypto thieves have until February 13, at 7:00 PM EST, to return 90% of the stolen funds, after which zkLend will pursue legal action.

There has not been any response from the hacker, which is usually the case in these situations. No threat actors have been attributed to the attack.


Source link

Tags
4 hours ago
1 minute read

Related Articles

10 Ways to Quiet the Noises Your House Is Making

2 hours ago

Don’t Let Pet Hair Ruin Your Washer

2 hours ago

ChatGPT’s GPT-4.5 and GPT-5 Upgrades Are on the Way

2 hours ago

Oppo Find N5: Global Launch Announced for World’s Thinnest Book-Style Foldable Smartphone

3 hours ago

5 best shows like ‘Apple Cider Vinegar’ to stream next

3 hours ago

Trump vs. Twitter: The president takes on social media moderation

5 hours ago

Metal Gear Solid Delta: Snake Eater Official Release Date Revealed

5 hours ago

Chatbots distort the facts about news – Computerworld

7 hours ago

Easy, Budget-Friendly Dinner Recipes for Valentine’s Day

7 hours ago

A Complete Guide to Over-the-Counter Hearing Aids

7 hours ago
Back to top button
close