ZKLend Lending Accumulator Precision Loss Manipulation

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

ZKLend

zkLend is a decentralized money-market protocol built on Starknet that offers secure, efficient lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields, a robust risk framework, and scalability via Starknet’s L2 solution. The platform was recently hit by a $9.6 million exploit involving a vulnerability in the wstETH token. The attack manipulated the "lending_accumulator" to take advantage of rounding errors, leading to significant losses. In response, zkLend paused all markets and is working with security experts, law enforcement, and exchanges to track the stolen funds and identify the hacker. Legal action is being pursued, and the team is preparing a recovery plan to minimize the impact on users and partners.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About ZKLend

zkLend is a next-generation L2 money-market protocol built on Starknet, offering decentralized lending, borrowing, and depositing for both retail and institutional users. It provides competitive yields based on real-time supply and demand, a robust risk framework, and secure, scalable transactions using validity proofs. The platform supports institutional DeFi markets with KYC, compliance, capital efficiency, and customizable loan terms. zkLend’s roadmap includes core functionality reliability, mainnet launches, cross-chain lending, and institutional MVP in 2024. The platform is backed by trusted institutions like Nethermind and ABDK Consulting for infrastructure and security.

zkLend is designed to provide a secure and efficient decentralized money-market platform for retail users, offering seamless deposit and borrowing of digital assets with yields derived from interest paid by borrowers. The platform, now live on the mainnet with fully audited contracts, ensures user safety and leverages the latest blockchain technology to offer a smooth experience. Powered by Starknet's L2 solution, zkLend benefits from superior transaction speed, low costs, and innovations like account abstraction and trustless bridging, making it a future-proof platform for decentralized finance. With a focus on scalability and decentralization, zkLend is poised to lead in the DeFi space.

The Reality

The ZKLend protocol contained at least 3 minor vulnerabilities, which either the single firm Nethermind had failed to determine, or had been introduced in subsequent modifications.

What Happened

"Starting on 11th of February, zkLend suffered an attack resulting in the loss of around $9.6 million USD in funds."

Key Event Timeline - ZKLend Lending Accumulator Precision Loss Manipulation
Date Event Description
May 23rd, 2022 4:36:00 PM MDT First Nethermind Audit Completed The Cairo 0 money market is audited by Nethermind.
October 1st, 2023 9:42:00 AM MDT Second Nethermind Audit Completed The Cairo 1 money market is audited by Nethermind.
November 27th, 2023 11:51:00 AM MST ZEND Token Contract Audit The ZEND token contract is audited by Nethermind.
December 16th, 2024 5:18:00 AM MST Liquid Staking Contract Audit The liquid staking contract is audited, also by Nethermind.
February 11th, 2025 5:44:35 AM MST Smart Contract First Contact The attacker reportedly makes their first contact with the ZKLend smart contract.
February 11th, 2025 8:01:02 AM MST First Exploit Transaction The first exploit transaction, which is able to gain 15484.120127 USDC.
February 11th, 2025 9:37:09 AM MST Attacker Starts Withdrawing The attacker made the first of a series of withdrawals from Starknet Ethereum, Base, Arbitrum, Optimism through LayerSwap, Orbiter, and rhino.fi.
February 11th, 2025 10:52:00 AM MST Rhino Fi Suspicions zeroShadow were first made aware of the suspicious activity by Rhino.fi. Both parties agreed on their suspicion after initial check and forwarded the information to StarkWare.
February 11th, 2025 2:22:00 PM MST ZKLend Tweets Announcement ZKLend shares an announcement that they are aware of the exploit. They are "now investigating and will provide an update when possible".
February 11th, 2025 7:51:00 PM MST CertiK Public Notice Posted CertiK posts an analysis on Twitter/X with details of the exploit.
February 11th, 2025 8:21:00 PM MST Reading Out To Hacker ZKLend announces an offer for the hacker, where they can keep 10% and return the rest in exchange for reduced liability.
February 12th, 2025 1:16:00 AM MST CertiK Detailed Walkthrough CertiK posts a detailed walkthrough of the precision error which is responsible for the exploit.
February 13th, 2025 7:46:00 PM MST Update From ZKLend Team The ZKLend team shares an update including that they have not yet heard from the exploiter and
February 14th, 2025 6:14:00 AM MST Postmortem Tweet Published ZKLend publishes a post-mortem on Twitter/X, sharing a link to a Google Drive document with the details.

Technical Details

"The attacker manipulated the "lending_accumulator" to be very large at 4.069297906051644020, then took advantage of the rounding error during ztoken mint() and withdraw() to repeatedly deposit 4.069297906051644021 wstETH getting 2 wei then withdraw 4.069297906051644020*1.5 -1 = 6.103946859077466029 wstETH to expend just 1 wei."

Total Amount Lost

Rekt reports 9.57M USD.

The total amount lost has been estimated at $9,570,000 USD.

Immediate Reactions

"On 11th February 2025, zkLend, a money market protocol on Starknet, was attacked using an empty market exploit, causing the loss of around $9.6 million US dollars. The exploit was made against the wstETH token that was newly launched on Starknet. Initial analysis has been performed and this post-mortem serves as a brief report of the progress thus far."

"Smart contracts suspension: The zkLend markets contract was immediately paused after the attack, suspending all deposits, withdrawals, borrowing, repayment, flash loans, and liquidations. An active warning was put out on the app's homepage. Security collaboration: Working with security experts such as zeroShadow to notify exchanges, Chainalysis, TRM and Elliptic of associated wallet addresses. Fund tracking: Continuously track stolen funds and the attacker's activities. Legal collaboration: Actively working with law enforcement (Hong Kong Police, FBI, Homeland Security) to identify and apprehend the hacker. Hacker communication: An on-chain message was sent to the hacker to seek resolution and return funds, but no response has been received. Community updates: Regular updates are being provided to users and partners regarding the protocol's status and developments."

Ultimate Outcome

"As the exploiter did not contact us by the deadline, the zkLend team is pursuing legal action, which may be a prolonged process. To ensure transparency, we filed an incident report with Hong Kong Police Force, the FBI, and Homeland Security to commence investigation.

Our investigation indicates that the hacker has been linked to prior attacks on other DeFi protocols. We have been monitoring fund flows and identified multiple relevant wallet addresses. We have shared this information with CEXes, who are taking appropriate actions within their purview. Concurrently, we are preparing a post-mortem report with our security team, detailing the attack and its underlying causes.

We will announce a recovery and fund release plan next week. Our priority is to minimize the impact on our users and partners, and handle this situation fairly and transparently for everyone involved. We appreciate your patience as we work to resolve this matter as quickly as possible."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - zkLend - Rekt (Accessed Feb 18, 2025)
  2. @zkLend Twitter (Accessed Feb 18, 2025)
  3. zkLend | Twitter | Linktree (Accessed Feb 18, 2025)
  4. zkLend | Money-market protocol on Starknet (Accessed Feb 18, 2025)
  5. zkLend | zkLend (Accessed Feb 18, 2025)
  6. @CertiKAlert Twitter (Accessed Feb 18, 2025)
  7. @zkLend Twitter (Accessed Feb 18, 2025)
  8. @CertiKAlert Twitter (Accessed Feb 18, 2025)
  9. zkLend Hack Post-mortem.pdf - Google Drive (Accessed Feb 18, 2025)
  10. PublicAuditReports/NM0058-FINAL_ZKLEND.pdf at 1d6264507e7ba835eff2fa14499acc2729b9b84c · NethermindEth/PublicAuditReports · GitHub (Accessed Feb 18, 2025)
  11. PublicAuditReports/NM0097-FINAL_ZKLEND.pdf at 1d6264507e7ba835eff2fa14499acc2729b9b84c · NethermindEth/PublicAuditReports · GitHub (Accessed Feb 18, 2025)
  12. Voyager - Starknet block explorer (Accessed Feb 18, 2025)
  13. Voyager - Starknet block explorer (Accessed Feb 18, 2025)
  14. Voyager - Starknet block explorer (Accessed Feb 18, 2025)
  15. Transaction - Starkscan (Accessed Feb 18, 2025)
  16. The Initial Reaction On Discord (Accessed Feb 18, 2025)
  17. ZKLend - "You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address" - Twitter/X (Accessed Feb 18, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=ZKLend_Lending_Accumulator_Precision_Loss_Manipulation&oldid=6559"