The zkLend hack – how will the protocol recover the stolen $9.5 million? Who hacked the platform and how does this relate to the EraLend hack?

By now you’ve probably heard that yet another attacker has hacked the largest zkLend protocol, withdrawing 3,300 ETH worth $5 million.

Starknet’s decentralised lending protocol zkLend was hacked for $9.5 million on 12 February, according to blockchain security company Cyvers.

Now the protocol’s creators are trying to negotiate with the hacker, offering a 10% reward for the return of the stolen 3,300 ETH.

How do hackers break into Tier-1 crypto platforms that are supposed to be completely secure? What was the sequence of actions taken by the attacker and were they able to trace the wallets from which they withdrew the stolen funds? What actions did xkLend take and what are they doing to recover the money?

Let’s identify the hacker, analyse his algorithm of actions step by step and understand how zkLend protects its corporate data and the security of its users.

What is ZkLend?

ZkLend is a protocol founded in 2022 and based on Layer2 Ethereum, Starknet.

According to the developers, ZkLend aims to provide users with both scaling solutions and money market products. To this end, the platform offers

• Convenient ways to borrow;
• A scalable system that offers high speed and an affordable structure.

Hacking zkLend – where it all started On 11 February, zkLend suspended withdrawals from its official Network X account, citing an exploit:

On 12 February, zkLend, a decentralised finance platform (DeFi), announced on social media that it had been hacked. It was later revealed that more than $5 million had been stolen as a result of the hacker’s actions.

Hacker stole 3,300 ETH from zkLend

In an attempt to reach an agreement with the hacker, zkLend has offered to return 10% of the stolen funds by 00:00 UTC on 14 February 2025. Otherwise, every effort will be made to track down the attacker:

At the time of our analysis, some of the hacker’s funds, 1801 ETH, were in confirmation status from L2 to L1 networks:

Later, the network status was updated and the funds were added to the alleged attacker’s wallet balance:

A total of 4 addresses were involved in the exploit:

• 0x645c77833833A6654F7EdaA977eBEaBc680a9109
• 0xCf677c7520E02acA89BC70431eAC891e94273E8a
• 0x0B7D061D91018AaB823A755020e625FfE8B93074
• 0xcd1c290198E12c4c1809271e683572FBF977Bb63

ZkLend: In an attempt to negotiate with the hacker, the user left a wallet address to which the funds should be returned. However, no funds were received from the attacker:

How to find a cryptocurrency hacker

Everyone who uses cryptocurrency leaves their mark on the blockchain, despite the decentralised environment being considered anonymous.

The hacker who stole funds in the zkLend protocol had previously used his wallet to receive funds from the Binance exchange on the Base network:

However, the amount of money is insignificant, meaning that the user may not have gone through the KYC process, which could have been a valid reason to de-anonymise them.

The protocol developers are currently working closely with security companies StarkWare Ltd, Starknet Foundation, zeroshadow.io (formerly Chainalysis Incident Response), Binance Security Team and Hypernative Labs to investigate the incident. They are tracking the stolen funds and investigating the root cause of the exploit.

The developers of the zkLend protocol promised users full transparency throughout the investigation. They promised to publish a detailed report once the investigation is complete. zkLend assured that user trust remains the platform’s top priority and that they will do everything possible to resolve the problematic situation quickly.