zkLend Exploited for $4.9M in ETH, Team Appeals to Hacker with 10% Offer

zkLend, a decentralized finance lending protocol on Starknet, has suffered a significant safety breach. As a end result, it misplaced roughly 3,700 ETH, price round $4.9 million.

The exploit has pressured the platform to pause withdrawals whereas investigations proceed.

Response to the Exploit

zkLend confirmed the incident in a sequence of X posts on February 11, stating that tens of millions price of cryptocurrency had been drained from its sensible contracts.

“We are aware of the ongoing security incident on zkLend. The team is now investigating and will provide an update when possible,” the protocol acknowledged. Hours later, they suggested customers to chorus from depositing or repaying funds whereas they labored to decide the basis trigger. They additionally halted all withdrawals to forestall additional losses.

Following the assault, zkLend sought the companies of a number of organizations, together with StarkWare, ZeroShadow, Binance Security, and Hypernative Labs, to assist observe the hacker and get well the stolen funds. It additionally promised to share a extra detailed evaluation as quickly as a autopsy was accomplished.

The exploit affected a number of DeFi methods linked to zkLend, together with STRKFarm’s STRK, USDC, and ETH Sensei methods, placing withdrawals on ice till the state of affairs will get resolved.

According to blockchain safety agency QuillAudits, the perpetrator, recognized by the handle 0x64…9109, first focused a particular contract, 0x04…3b26, earlier than siphoning the funds. They then moved the stolen property to Ethereum, funneling it by way of the Railgun crypto mixer, a privacy-focused device usually used to obscure transaction trails.

On-chain information shared by the safety platform confirmed a number of transactions main to laundering exercise, with 706 ETH, valued at about $1.8 million, already despatched by way of the mixer.

Whitehat Bounty Offer

In a last-ditch effort to get well the funds, zkLend issued a direct message to the hacker, providing a ten% whitehat bounty. This would imply that the attacker would preserve almost 400 ETH price a couple of million {dollars} if the remaining 3,300 ETH had been returned by 00:00 UTC on Valentine’s Day. The crew additionally burdened that the provide is legally binding and releases the exploiter “from any and all liability” relating to the heist.

It isn’t the primary time protocols on the incorrect finish of exploits have tried negotiating with unhealthy actors to have funds returned. In March final 12 months, WOOFI misplaced $8.5 million in a flash mortgage assault, and subsequently provided a share of the loot as a whitehat bounty.

Similarly, nearly half a 12 months earlier than that, North Korean hackers stole greater than $70 million from the CoinEx crypto change’s sizzling wallets, main the platform to provide them what it termed a “generous bug bounty.”

Sadly, in each instances, no funds had been ever returned regardless of the bounty pleas.