Decentralized finance platform zkLend has fallen victim to a significant cyber attack, resulting in the theft of 3,600 Ethereum (approximately $9.5 million). The incident, which occurred on Starknet’s Layer 2 scaling solution, exploited a vulnerability in the platform’s smart contract system.

Technical Analysis of the Breach
Security experts identified that attackers leveraged a rounding error bug in zkLend’s smart contract mint() function. The exploitation involved manipulating the “lending_accumulator” value, allowing attackers to exploit deposit and withdrawal mechanisms through precise mathematical calculations.

Starkware, the developer of Starknet, confirmed that the vulnerability was specific to zkLend’s application and not related to the underlying Starknet infrastructure. Attempts to launder the stolen funds through the RailGun privacy protocol were blocked due to security policies.

Recovery Efforts and Legal Action
zkLend has extended an offer to the attackers:
– Return 90% of stolen funds (3,300 ETH)
– Keep 10% as a “whitehat bounty”
– Receive immunity from legal prosecution

The platform has set a deadline of February 13, 2025, at 7:00 PM EST for the return of funds. Failure to comply will result in legal action and continued investigation with law enforcement agencies. As of now, the attackers have not responded to the offer, and no specific threat actors have been identified.