ZkLend, a decentralized lending protocol on Starknet, has confirmed a significant security breach resulting in a loss of approximately $9.5 million. The incident, which occurred on February 12, 2025, marks a concerning start to the year for cryptocurrency security.
In response to the attack, ZkLend has taken immediate action by suspending withdrawals and warning users against making new deposits or loan repayments.
The protocol has extended an olive branch to the attacker, offering a 10% bounty of the stolen funds in exchange for returning the remaining 90% (approximately 3,300 ETH) to a specified Ethereum address.
According to blockchain security firm Cyvers, the stolen funds were initially bridged to Ethereum and moved through Railgun, a privacy-focused transaction service. However, due to Railgun's internal policies, the funds were redirected to their original address, adding an unexpected twist to the incident.
ZkLend has set a deadline of 00:00 UTC on February 14, 2025, for the attacker to comply with their offer, which includes immunity from legal consequences.
"We are working with security firms and law enforcement at this stage. If we do not hear from you by 00:00 UTC, 14th Feb 2025, we will proceed with the next steps to track and prosecute you," the protocol stated in their official communication.
As the investigation continues, ZkLend has promised to release a comprehensive report detailing the incident and outlining new security measures to prevent future exploits.