QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$9 570 000 USD
FEBRUARY 2025
GLOBAL
ZKLEND
DESCRIPTION OF EVENTS
zkLend is a next-generation L2 money-market protocol built on Starknet, offering decentralized lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields based on real-time supply and demand, a robust risk framework, and secure, scalable transactions using validity proofs. The platform supports institutional DeFi markets with KYC, compliance, capital efficiency, and customizable loan terms. zkLend’s roadmap includes core functionality reliability, mainnet launches, cross-chain lending, and institutional MVP in 2024. The platform is backed by trusted institutions like Nethermind and ABDK Consulting for infrastructure and security.
zkLend is designed to provide a secure and efficient decentralized money-market platform for retail users, offering seamless deposit and borrowing of digital assets with yields derived from interest paid by borrowers. The platform, now live on the mainnet with fully audited contracts, ensures user safety and leverages the latest blockchain technology to offer a smooth experience. Powered by Starknet's L2 solution, zkLend benefits from superior transaction speed, low costs, and innovations like account abstraction and trustless bridging, making it a future-proof platform for decentralized finance. With a focus on scalability and decentralization, zkLend is poised to lead in the DeFi space.
The ZKLend protocol contained at least 3 minor vulnerabilities, which either the single firm Nethermind had failed to determine, or had been introduced in subsequent modifications.
"The attacker manipulated the "lending_accumulator" to be very large at 4.069297906051644020, then took advantage of the rounding error during ztoken mint() and withdraw() to repeatedly deposit 4.069297906051644021 wstETH getting 2 wei then withdraw 4.069297906051644020*1.5 -1 = 6.103946859077466029 wstETH to expend just 1 wei."
Rekt reports 9.57M USD.
"On 11th February 2025, zkLend, a money market protocol on Starknet, was attacked using an empty market exploit, causing the loss of around $9.6 million US dollars. The exploit was made against the wstETH token that was newly launched on Starknet. Initial analysis has been performed and this post-mortem serves as a brief report of the progress thus far."
"Smart contracts suspension: The zkLend markets contract was immediately paused after the attack, suspending all deposits, withdrawals, borrowing, repayment, flash loans, and liquidations. An active warning was put out on the app's homepage. Security collaboration: Working with security experts such as zeroShadow to notify exchanges, Chainalysis, TRM and Elliptic of associated wallet addresses. Fund tracking: Continuously track stolen funds and the attacker's activities. Legal collaboration: Actively working with law enforcement (Hong Kong Police, FBI, Homeland Security) to identify and apprehend the hacker. Hacker communication: An on-chain message was sent to the hacker to seek resolution and return funds, but no response has been received. Community updates: Regular updates are being provided to users and partners regarding the protocol's status and developments."
"As the exploiter did not contact us by the deadline, the zkLend team is pursuing legal action, which may be a prolonged process. To ensure transparency, we filed an incident report with Hong Kong Police Force, the FBI, and Homeland Security to commence investigation.
Our investigation indicates that the hacker has been linked to prior attacks on other DeFi protocols. We have been monitoring fund flows and identified multiple relevant wallet addresses. We have shared this information with CEXes, who are taking appropriate actions within their purview. Concurrently, we are preparing a post-mortem report with our security team, detailing the attack and its underlying causes.
We will announce a recovery and fund release plan next week. Our priority is to minimize the impact on our users and partners, and handle this situation fairly and transparently for everyone involved. We appreciate your patience as we work to resolve this matter as quickly as possible."
zkLend is a decentralized money-market protocol built on Starknet that offers secure, efficient lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields, a robust risk framework, and scalability via Starknet’s L2 solution. The platform was recently hit by a $9.6 million exploit involving a vulnerability in the wstETH token. The attack manipulated the "lending_accumulator" to take advantage of rounding errors, leading to significant losses. In response, zkLend paused all markets and is working with security experts, law enforcement, and exchanges to track the stolen funds and identify the hacker. Legal action is being pursued, and the team is preparing a recovery plan to minimize the impact on users and partners.
Rekt - zkLend - Rekt (Feb 18)
@zkLend Twitter (Feb 18)
zkLend | Twitter | Linktree (Feb 18)
zkLend | Money-market protocol on Starknet (Feb 18)
zkLend | zkLend (Feb 18)
@CertiKAlert Twitter (Feb 18)
@zkLend Twitter (Feb 18)
@CertiKAlert Twitter (Feb 18)
zkLend Hack Post-mortem.pdf - Google Drive (Feb 18)
PublicAuditReports/NM0058-FINAL_ZKLEND.pdf at 1d6264507e7ba835eff2fa14499acc2729b9b84c · NethermindEth/PublicAuditReports · GitHub (Feb 18)
PublicAuditReports/NM0097-FINAL_ZKLEND.pdf at 1d6264507e7ba835eff2fa14499acc2729b9b84c · NethermindEth/PublicAuditReports · GitHub (Feb 18)
Voyager - Starknet block explorer (Feb 18)
Voyager - Starknet block explorer (Feb 18)
Voyager - Starknet block explorer (Feb 18)
Transaction - Starkscan (Feb 18)
The Initial Reaction On Discord (Feb 18)
ZKLend - "You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address" - Twitter/X (Feb 18)
