zkLend, a decentralized finance lending protocol on Starknet, has suffered a major security breach. As a result, it lost approximately 3,700 ETH, worth around $4.9 million.

The exploit has forced the platform to pause withdrawals while investigations continue.

Response to the Exploit

zkLend confirmed the incident in a series of X posts on February 11, stating that millions worth of cryptocurrency had been drained from its smart contracts.

We are aware of the ongoing security incident on zkLend. The team is now investigating and will provide an update when possible, the protocol stated. Hours later, they advised users to refrain from depositing or repaying funds while they worked to determine the root cause. They also halted all withdrawals to prevent further losses.

Following the attack, zkLend sought the services of several organizations, including StarkWare, ZeroShadow, Binance Security, and Hypernative Labs, to help track the hacker and recover the stolen funds. It also promised to share a more detailed analysis as soon as a post-mortem was completed.

The exploit affected several DeFi strategies linked to zkLend, including STRKFarm’s STRK, USDC, and ETH Sensei strategies, putting withdrawals on ice until the situation gets resolved.

According to blockchain security firm QuillAudits, the perpetrator, identified by the address 0x64…9109, first targeted a specific contract, 0x04…3b26, before siphoning the funds. They then moved the stolen assets to Ethereum, funneling it through the Railgun crypto mixer, a privacy-focused tool often used to obscure transaction trails.

On-chain data shared by the security platform showed several transactions leading to laundering activity, with 706 ETH, valued at about $1.8 million, already sent through the mixer.

Whitehat Bounty Offer

In a last-ditch effort to recover the funds, zkLend issued a direct message to the hacker, offering a 10% whitehat bounty. This would mean that the attacker would keep nearly 400 ETH worth more than one million dollars if the remaining 3,300 ETH were returned by 00:00 UTC on Valentine’s Day. The team also stressed that the offer is legally binding and releases the exploiter “from any and all liability” regarding the heist.

It isn’t the first time protocols on the wrong end of exploits have tried negotiating with bad actors to have funds returned. In March last year, WOOFI lost $8.5 million in a flash loan attack, and subsequently offered a percentage of the loot as a whitehat bounty.

Similarly, almost half a year before that, North Korean hackers stole more than $70 million from the CoinEx crypto exchanges hot wallets, leading the platform to offer them what it termed a “generous bug bounty.”

Sadly, in both cases, no funds were ever returned despite the bounty pleas.