Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zklendlendingaccumulatorprecisionlossmanipulation.php}} {{Unattributed Sources}} ZKLendzkLend is a decentralized money-market protocol built on Starknet that offers secure, efficient lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields, a robust risk framework, and scalability via Starknet’s L2 solution..."

2025-02-18T21:01:43Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zklendlendingaccumulatorprecisionlossmanipulation.php}} {{Unattributed Sources}} thumb|ZKLendzkLend is a decentralized money-market protocol built on Starknet that offers secure, efficient lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields, a robust risk framework, and scalability via Starknet’s L2 solution..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/zklendlendingaccumulatorprecisionlossmanipulation.php}}
{{Unattributed Sources}}

[[File:Zklendcom.jpg|thumb|ZKLend]]zkLend is a decentralized money-market protocol built on Starknet that offers secure, efficient lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields, a robust risk framework, and scalability via Starknet’s L2 solution. The platform was recently hit by a $9.6 million exploit involving a vulnerability in the wstETH token. The attack manipulated the "lending_accumulator" to take advantage of rounding errors, leading to significant losses. In response, zkLend paused all markets and is working with security experts, law enforcement, and exchanges to track the stolen funds and identify the hacker. Legal action is being pursued, and the team is preparing a recovery plan to minimize the impact on users and partners.<ref name="rektnews-18126" /><ref name="zklendtwitter-18127" /><ref name="linktree-18128" /><ref name="zklend-18129" /><ref name="zklend-18130" /><ref name="certikalerttwitter-18131" /><ref name="zklendtwitter-18132" /><ref name="certikalerttwitter-18133" /><ref name="googledrive-18134" /><ref name="nethermindethgithub-18135" /><ref name="nethermindethgithub-18136" /><ref name="voyageronline-18137" /><ref name="voyageronline-18138" /><ref name="voyageronline-18139" /><ref name="starkscan-18140" /><ref name="initialreaction-18141" /><ref name="pleahacker-18142" />

== About ZKLend ==
zkLend is a next-generation L2 money-market protocol built on Starknet, offering decentralized lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields based on real-time supply and demand, a robust risk framework, and secure, scalable transactions using validity proofs. The platform supports institutional DeFi markets with KYC, compliance, capital efficiency, and customizable loan terms. zkLend’s roadmap includes core functionality reliability, mainnet launches, cross-chain lending, and institutional MVP in 2024. The platform is backed by trusted institutions like Nethermind and ABDK Consulting for infrastructure and security.

zkLend is designed to provide a secure and efficient decentralized money-market platform for retail users, offering seamless deposit and borrowing of digital assets with yields derived from interest paid by borrowers. The platform, now live on the mainnet with fully audited contracts, ensures user safety and leverages the latest blockchain technology to offer a smooth experience. Powered by Starknet's L2 solution, zkLend benefits from superior transaction speed, low costs, and innovations like account abstraction and trustless bridging, making it a future-proof platform for decentralized finance. With a focus on scalability and decentralization, zkLend is poised to lead in the DeFi space.

== The Reality ==
The ZKLend protocol contained at least 3 minor vulnerabilities, which either the single firm Nethermind had failed to determine, or had been introduced in subsequent modifications.

== What Happened ==
"Starting on 11th of February, zkLend suffered an attack resulting in the loss of around $9.6 million USD in funds."
{| class="wikitable"
|+Key Event Timeline - ZKLend Lending Accumulator Precision Loss Manipulation
!Date
!Event
!Description
|-
|May 23rd, 2022 4:36:00 PM MDT
|First Nethermind Audit Completed
|The Cairo 0 money market is audited by Nethermind.
|-
|October 1st, 2023 9:42:00 AM MDT
|Second Nethermind Audit Completed
|The Cairo 1 money market is audited by Nethermind.
|-
|November 27th, 2023 11:51:00 AM MST
|ZEND Token Contract Audit
|The ZEND token contract is audited by Nethermind.
|-
|December 16th, 2024 5:18:00 AM MST
|Liquid Staking Contract Audit
|The liquid staking contract is audited, also by Nethermind.
|-
|February 11th, 2025 5:44:35 AM MST
|Smart Contract First Contact
|The attacker reportedly makes their first contact with the ZKLend smart contract.
|-
|February 11th, 2025 8:01:02 AM MST
|First Exploit Transaction
|The first exploit transaction, which is able to gain 15484.120127 USDC.
|-
|February 11th, 2025 9:37:09 AM MST
|Attacker Starts Withdrawing
|The attacker made the first of a series of withdrawals from Starknet Ethereum, Base, Arbitrum, Optimism through LayerSwap, Orbiter, and rhino.fi.
|-
|February 11th, 2025 10:52:00 AM MST
|Rhino Fi Suspicions
|zeroShadow were first made aware of the suspicious activity by Rhino.fi. Both parties agreed on their suspicion after initial check and forwarded the information to StarkWare.
|-
|February 11th, 2025 2:22:00 PM MST
|ZKLend Tweets Announcement
|ZKLend shares an announcement that they are aware of the exploit. They are "now investigating and will provide an update when possible".
|-
|February 11th, 2025 7:51:00 PM MST
|CertiK Public Notice Posted
|CertiK posts an analysis on Twitter/X with details of the exploit.
|-
|February 11th, 2025 8:21:00 PM MST
|Reading Out To Hacker
|ZKLend announces an offer for the hacker, where they can keep 10% and return the rest in exchange for reduced liability.
|-
|February 12th, 2025 1:16:00 AM MST
|CertiK Detailed Walkthrough
|CertiK posts a detailed walkthrough of the precision error which is responsible for the exploit.
|-
|February 13th, 2025 7:46:00 PM MST
|Update From ZKLend Team
|The ZKLend team shares an update including that they have not yet heard from the exploiter and
|-
|February 14th, 2025 6:14:00 AM MST
|Postmortem Tweet Published
|ZKLend publishes a post-mortem on Twitter/X, sharing a link to a Google Drive document with the details.
|}

== Technical Details ==
"The attacker manipulated the "lending_accumulator" to be very large at 4.069297906051644020, then took advantage of the rounding error during ztoken mint() and withdraw() to repeatedly deposit 4.069297906051644021 wstETH getting 2 wei then withdraw 4.069297906051644020*1.5 -1 = 6.103946859077466029 wstETH to expend just 1 wei."

== Total Amount Lost ==
Rekt reports 9.57M USD.

The total amount lost has been estimated at $9,570,000 USD.

== Immediate Reactions ==
"On 11th February 2025, zkLend, a money market protocol on Starknet, was attacked using an empty market exploit, causing the loss of around $9.6 million US dollars. The exploit was made against the wstETH token that was newly launched on Starknet. Initial analysis has been performed and this post-mortem serves as a brief report of the progress thus far."

"Smart contracts suspension: The zkLend markets contract was immediately paused after the
attack, suspending all deposits, withdrawals, borrowing, repayment, flash loans, and liquidations. An active warning was put out on the app's homepage.
Security collaboration: Working with security experts such as zeroShadow to notify exchanges, Chainalysis, TRM and Elliptic of associated wallet addresses.
Fund tracking: Continuously track stolen funds and the attacker's activities.
Legal collaboration: Actively working with law enforcement (Hong Kong Police, FBI, Homeland
Security) to identify and apprehend the hacker.
Hacker communication: An on-chain message was sent to the hacker to seek resolution and
return funds, but no response has been received.
Community updates: Regular updates are being provided to users and partners regarding the
protocol's status and developments."

== Ultimate Outcome ==
"As the exploiter did not contact us by the deadline, the zkLend team is pursuing legal action, which may be a prolonged process. To ensure transparency, we filed an incident report with Hong Kong Police Force, the FBI, and Homeland Security to commence investigation.

Our investigation indicates that the hacker has been linked to prior attacks on other DeFi protocols. We have been monitoring fund flows and identified multiple relevant wallet addresses. We have shared this information with CEXes, who are taking appropriate actions within their purview. Concurrently, we are preparing a post-mortem report with our security team, detailing the attack and its underlying causes.

We will announce a recovery and fund release plan next week. Our priority is to minimize the impact on our users and partners, and handle this situation fairly and transparently for everyone involved. We appreciate your patience as we work to resolve this matter as quickly as possible."

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-18126">[https://rekt.news/zklend-rekt/ Rekt - zkLend - Rekt] (Accessed Feb 18, 2025)</ref>

<ref name="zklendtwitter-18127">[https://twitter.com/zkLend/status/1890389052492509362 @zkLend Twitter] (Accessed Feb 18, 2025)</ref>

<ref name="linktree-18128">[https://linktr.ee/zkLend zkLend | Twitter | Linktree] (Accessed Feb 18, 2025)</ref>

<ref name="zklend-18129">[https://zklend.com/ zkLend | Money-market protocol on Starknet] (Accessed Feb 18, 2025)</ref>

<ref name="zklend-18130">[https://zklend.gitbook.io/documentation/about/introduction/zklend zkLend | zkLend] (Accessed Feb 18, 2025)</ref>

<ref name="certikalerttwitter-18131">[https://twitter.com/CertiKAlert/status/1889507487491170625 @CertiKAlert Twitter] (Accessed Feb 18, 2025)</ref>

<ref name="zklendtwitter-18132">[https://twitter.com/zkLend/status/1889424818967371779 @zkLend Twitter] (Accessed Feb 18, 2025)</ref>

<ref name="certikalerttwitter-18133">[https://twitter.com/CertiKAlert/status/1889589451451670832 @CertiKAlert Twitter] (Accessed Feb 18, 2025)</ref>

<ref name="googledrive-18134">[https://drive.google.com/file/d/10i1dh_J89tPPw7KRcmFIVM6iNrJZAyfi/view zkLend Hack Post-mortem.pdf - Google Drive] (Accessed Feb 18, 2025)</ref>

<ref name="nethermindethgithub-18135">[https://github.com/NethermindEth/PublicAuditReports/blob/1d6264507e7ba835eff2fa14499acc2729b9b84c/NM0058-FINAL_ZKLEND.pdf PublicAuditReports/NM0058-FINAL_ZKLEND.pdf at 1d6264507e7ba835eff2fa14499acc2729b9b84c · NethermindEth/PublicAuditReports · GitHub] (Accessed Feb 18, 2025)</ref>

<ref name="nethermindethgithub-18136">[https://github.com/NethermindEth/PublicAuditReports/blob/1d6264507e7ba835eff2fa14499acc2729b9b84c/NM0097-FINAL_ZKLEND.pdf PublicAuditReports/NM0097-FINAL_ZKLEND.pdf at 1d6264507e7ba835eff2fa14499acc2729b9b84c · NethermindEth/PublicAuditReports · GitHub] (Accessed Feb 18, 2025)</ref>

<ref name="voyageronline-18137">[https://voyager.online/tx/0x04862e266cf9a952d06a3d7e537aa68f8ba7f46d224912240b11bb9c6e7f1480 Voyager - Starknet block explorer] (Accessed Feb 18, 2025)</ref>

<ref name="voyageronline-18138">[https://voyager.online/tx/0x0467c72d570ac97feab5ff1c2a326d1b0101c8241316a58d854c734ca7a1b446 Voyager - Starknet block explorer] (Accessed Feb 18, 2025)</ref>

<ref name="voyageronline-18139">[https://voyager.online/tx/0x01711f45d2d6f1df2a14f7f055bdaa370b947c196dca0078b934c11a53dc3d2c Voyager - Starknet block explorer] (Accessed Feb 18, 2025)</ref>

<ref name="starkscan-18140">[https://starkscan.co/tx/0x04862e266cf9a952d06a3d7e537aa68f8ba7f46d224912240b11bb9c6e7f1480 Transaction - Starkscan] (Accessed Feb 18, 2025)</ref>

<ref name="initialreaction-18141">[https://twitter.com/bigcockfuckass/status/1890245380413260007 The Initial Reaction On Discord] (Accessed Feb 18, 2025)</ref>

<ref name="pleahacker-18142">[https://twitter.com/zkLend/status/1889515118368829559 ZKLend - "You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address" - Twitter/X] (Accessed Feb 18, 2025)</ref></references>

ZKLend Lending Accumulator Precision Loss Manipulation - Revision history