zkLend shuts down, conceding defeat after February’s crippling $9.5M hack

Decentralized lending protocol zkLend has announced that it will wind down operations and devote its remaining treasury to a user recovery fund after a disastrous $9.5 million exploit in February and subsequent loss of token liquidity. 

The decision, shared in a post on X by the zkLend team, marks the end of the Starknet-based protocol’s brief run in DeFi.

Liquidity dries up and official wind-down

The exploit and ensuing drama seriously impacted confidence in zkLend’s ZEND token. Major exchanges Bybit and KuCoin delisted ZEND in recent weeks, slashing trading volume and making it nearly impossible for users to exit positions without steep slippage.

With token liquidity vanishing, zkLend’s developers concluded there was no viable path forward for relaunching their money markets.

In an X announcement, zkLend’s core contributors outlined their decision:

“Given these circumstances, we believe that using the remainder of our treasury—$200,000—towards supporting affected users through the recovery fund is a more responsible and meaningful use of resources than relaunching our money markets and continuing development.”

The protocol also stated that users can unstake funds or file claims via the DeFi Spring and kSTRK portals.

Also, the team has retained the services of zeroShadow, the blockchain forensics firm working on tracking down the stolen assets, and stated that any recovery from this effort will be restituted to the recovery fund.

According to zkLend, in the coming weeks, its audited and refreshed codebase will be released as open source for community developers to fork or build upon.

zkLend never recovered from the February hack

Launched officially on Startknet mainnet in late 2023, zkLend aimed to deliver non-custodial lending and borrowing on Starknet through yield-optimized “money markets.” Its promise hinged on zero-knowledge proofs for high throughput and low gas fees.

But on February 11, an attacker exploited a flaw in zkLend’s lending accumulator via flash loans and rounding errors, siphoning off approximately $9.5 million at the time.

zkLend’s post-mortem detailed how the vulnerability allowed the attacker to inflate the protocol’s state and drain deposits in rapid succession.

In the days that followed, zkLend offered the exploiter a 10% bounty in return for the safe return of the remaining funds. But the hacker went silent until an unexpected twist.

On March 31, the attacker sent a zero-value on-chain message to zkLend , claiming to have lost 2,930 ETH out of the stolen funds to a phishing website impersonating Tornado Cash. In an Etherscan-logged note, the exploiter lamented:

“Hello, I tried to move funds to a Tornado, but I used a phishing website, and all the funds have been lost. I am devastated and sorry for the havoc and losses caused.”

The hacker responded to zkLend’s bounty message, claiming the funds were lost to a phishing site. | Source: Etherscan

Many crypto investigators do not believe the hacker’s tale. On-chain analysis revealed that the transaction used a more shady route to get to Tornado Cash.

The hacker used an Ethereum vanity address to move the stolen funds, and they did not get sent to one of the Tornado Cash spoof sites directly. Also, the fact that the hacker didn’t mention the phishing website that took the funds raised more eyebrows.

The DeFi community has responded with a mix of sympathy, frustration, and caution.

Looking ahead, affected users will monitor zeroShadow’s forensic progress. Meanwhile, the forthcoming open-source release of zkLend’s audited contracts may give rise to forks or new projects that incorporate the team’s lessons.

KEY Difference Wire : the secret tool crypto projects use to get guaranteed media coverage