zkLend on StarNet Announces Shutdown After $9.6 Million Hack

On June 25, 2025, the zkLend (ZEND) project, a lending protocol on the StarkNet platform, officially announced its cessation of operations. The decision came after a series of serious incidents, including a hack that caused a loss of $9.6 million and the delisting of the ZEND token from major exchanges like Bybit and KuCoin, leading to a significant drop in liquidity.

The zkLend team stated that community trust had severely diminished, making it impossible to continue product development. Instead, the remaining treasury, worth $200,000, will be used to establish a recovery fund to support affected users. The DeFi Spring, Recovery, and kSTRK gateways will continue to operate, allowing users to unstake and receive rewards. Additionally, the audited source code of zkLend will soon be made public, enabling the community to continue developing the project. The team is also working with the zeroShadow investigation group to trace the stolen funds.

The attack on zkLend occurred on February 11, 2025, when hackers exploited a rounding vulnerability combined with a flashloan to manipulate the accumulation index within the system. By continuously depositing and withdrawing funds, the hacker profited millions of dollars before transferring assets to Ethereum and using the Railgun anonymity tool to launder the money. However, Railgun’s mechanism unexpectedly returned funds to the original wallet, forcing the hacker to find alternative means to legitimize the money.

In response, zkLend proposed that the hacker keep 10% of the funds as a bounty reward and promised not to pursue legal action if the remaining amount was returned. However, the hacker did not respond and ignored the offer. By February 19, 2025, zkLend offered a $500,000 reward for any information leading to the capture of the perpetrator and the recovery of the assets.

Related: Israel Arrests Iranian Spy Paid in Cryptocurrency

Surprisingly, on April 1, 2025, in a public message on Etherscan, the hacker admitted to losing 2,930 ETH (approximately $5.4 million) due to accessing a fake Tornado Cash page. They expressed “desperation” and apologized to the community for the losses incurred. However, the on-chain community quickly detected unusual signs: the fake Tornado page used a hard-coded ENS safe-relayer.eth, differing from the structure of the official Tornado Cash. Notably, the domain safe-relayer.eth was removed from the source code immediately after the incident but was still used for withdrawals, raising suspicions that this was a self-scripted act to mislead.

Despite the hacker claiming to be a “victim,” zkLend showed no leniency and demanded the return of the remaining funds. However, the hacker continued to transfer 25 ETH to the Chainflip1 wallet, indicating no intention to stop.