zkLend, a distributed money lending system on the Starknet cryptocurrency, has fallen prey to a big exploit, with the attacker draining$ 9.5 million in crypto property.
Blockchain surveillance company Cyvers confirmed that the stolen funds were initially funneled through the Rocket private process and were immediately bridged to Ethereum.
The resources were therefore redirected to the unique address due to the system’s internal laws, Cyverse said on Monday.
After the event, zkLend stopped all transactions and advised users to hold off on placing or paying off loans while the incident was being looked into.
The violation is a sign of alarm rings in the DeFi place, as it comes as a result of growing safety concerns in the market. According to DeFiLlama information, fraudsters have previously stolen more than$ 110 million from bitcoin projects this season.
zkLend reached out to the hacker with an on-chain message offering a 10 %” white hat” bounty in exchange for the return of the remaining funds —amounting to 3, 300 ETH ( roughly$ 8.78 million ).
” Upon receiving the move, we agree to release from any and all responsibility regarding the attack”, the app informed.
The thief was told that legitimate action would be taken if the money weren’t returned by zkLend’s tight date of Feb. 14 for the attacker to comply.
The lending platform said they are already working with law enforcement and several security firms—including StarkWare, Starknet Foundation, Binance Security—to trace the stolen funds and catch the hacker.
” This was one of the biggest hacks on Starknet if not the biggest in recent years”, Preetam Rao, CEO and Co-founder of web security firm QuillAudits, told . ” Good to see zkLend is being transparent throughout the situation and offered a bounty to the hacker.”
Rao noted that his team is reviewing the incident to prevent similar issues from occurring in other protocols, noting that the root cause of the hack doesn’t appear to be in the proof system, but rather in the contract logic.
Speaking to , Meir Dolev, Co-founder and CTO of Cyvers, noted:” This incident highlights security risks in DeFi lending and raises concerns about the safety of protocols on Starknet’s zero-knowledge rollup infrastructure.”
The zkLend hackers used Railgun, which integrates privacy features directly into DeFi applications and guarantees users ‘ anonymity while using the blockchain, in contrast to traditional coin mixers like Tornado Cash, which pools and redistribute funds to obscure their origin.
The team tweeted,” We are committed to full transparency and will share a thorough post-mortem analysis as soon as it is finished,” urging users to remain patient as they work through the incident.
At the Web3 Summit 2024, ImmuneFi founder Mitchell Amador shared his thoughts with , calling DeFi hacking” an infinitely sustainable and viable business. However, he added that the crypto space is unquestionably “going to become” safer.
DeFi hackers, he said, were” looking for more damage, more than ever—and their skills are also applicable in a number of different areas.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
