zkLend Hits $9.5M Starknet Hack
According to Cyvers, a blockchain security firm, decentralized lending protocol zkLend was hacked for an estimated amount of $9.5 million on Starknet network today, February 12, 2025.
The hacker bridged the stolen funds to the Ethereum network and laundered them through Railgun, a privacy protocol typically targeted to conceal crypto transactions. However, because of Railgun’s policies, funds return to the original address.
“zkLend has been hack-ed for $9.5 million on the Starknet network. The stolen funds were bridged to Ethereum and laundered through Railgun, but funds returned to the original address by Railgun because of protocol policies!” – Cyvers.
The protocol did not confirm how the exploit was done, but blockchain investigators are probing potential exploits in smart contracts or structural bridges.
New Offer: 10% Bounty to Hacker
In reaction to the attack, zkLend has thrown open an offer of 10% bounty to the hacker if he could return 90% of the stolen assets before 14th February, 00:00 at UTC.
“We know you are the person who is behind the attack on zkLend today. You may keep 10% of the funds as a whitehat bounty and send back the remaining 90%, or 3,300 ETH to be exact.”
The protocol also mentioned that if the hacker remains adamant, the matter would be referred to law enforcement and security firms for tracking and prosecution of the hacker.
January saw a drop in hacking incidents vis-a-vis evidence of presence of threat. As such, within the industry, crypto heists in January 2025 year-on-year have dropped by 44%, with $73 million stolen over the entire month.
Security analysts remained cautious as 2024 saw an increase in crypto-related theft. According to their statistics, the majority of theft was noted to be 165 incidents in which $2.3 million were lost, while only one year earlier, in 2023, there was noteworthy theft of a total of $1.69 billion.
Hackers have different approaches to exploit the decentralized finance (DeFi) protocols even as their security continuously improves over time, considering the recent exploit on zkLend.
Some Hackers Return Stolen Funds
Curiously, some hackers would return the money by hacking but would bear the wrath of blockchain security firms.
In May 2024, an attacker returned stolen Ether (ETH) worth $71 million after a wallet poisoning scam. Funds were sent directly into the wrong address of an unsuspecting investor, but the scammer withdrew them before eventually returning them.
It’s rare to find cases like these, but they do confirm the efficacy of blockchain tracing tools and ethical hacking bounties as influencing the behavior of attackers.
Offchain Validation: Future Prevention of Exploits
Improving thus, while exploits still occur, security firms such as Cyvers will devise new defense mechanisms to protect DeFi protocols.
A promising solution called offchain transaction validation enables a protocol to simulate a transaction before it is executed, potentially preventing common hacks by up to 99%.
“Offchain validation can detect and block fraudulent transactions before they occur.” – Michael Pearl, VP of GTM Strategy, Cyvers.
With further success by thieves in threatening DeFi, stronger preemptive measures are proving necessary in safeguarding the entire blockchain ecosystem.
