On February 12, 2025, zkLend, a protocol on the Starknet network, suffered a significant security breach resulting in the theft of approximately $9.5 million in cryptocurrency. The incident, which involved the movement of stolen funds to the Ethereum network, highlighted ongoing security challenges in the decentralized finance (DeFi) sector.
The attack prompted an immediate response from zkLend, with the protocol team quickly identifying the theft and tracking the movement of funds. In the hours following the exploit, the stolen assets were traced to an attempted transaction through Railgun, a privacy protocol. However, due to Railgun’s internal policies, the funds were returned to their original address rather than being processed through the privacy system.
The incident unfolded across multiple blockchain networks, beginning on Starknet before moving to Ethereum, demonstrating the complex nature of cross-chain security incidents. The stolen funds, approximately 3,300 ETH at the time of the attack, represented a substantial portion of the protocol’s assets.
The attack came to light through blockchain monitoring systems, with Cyvers Alerts first reporting the security breach. The sequence of events showed a sophisticated approach to moving and attempting to obscure the stolen funds. After the initial exploit on Starknet, the attacker quickly bridged the funds to the Ethereum network, indicating a pre-planned exit strategy.
The movement of funds can be traced through specific transactions on the Ethereum blockchain. The attacker attempted to use Railgun, a privacy protocol, to shield the stolen assets. This attempt was documented in transaction 0x7309db8034a421a319dc7073a41da4679f93a1a4bab8793c026666837e7846d4. However, this strategy proved unsuccessful when Railgun’s protocol policies triggered a return of the funds to the original address, as shown in transaction 0xf185675b2c2000d1d39f189594be223b78e389cc229b4ec4051b810b920bb125.
After the initial attempt to move the funds failed, the assets remained trackable on the Ethereum blockchain. The transparency of blockchain transactions allowed security firms and the protocol team to maintain visibility of the stolen funds, amounting to approximately 3,300 ETH.
zkLend’s response to the attack was swift and public. The protocol team issued a direct on-chain message to the attacker, using the Ethereum ZEND token deployer account (0xCf31e1b97790afD681723fA1398c5eAd9f69B98C) to ensure authenticity. The message included a structured negotiation attempt, offering the attacker a 10% bounty to return the remaining funds.
The terms of the offer were specific: the attacker could keep 10% of the stolen funds as a white hat bounty in exchange for returning the remaining 3,300 ETH to a designated Ethereum address. The protocol team backed this offer with a clear deadline, setting 00:00 UTC on February 14, 2025, as the cutoff for the attacker to respond.
The message also carried legal weight, with zkLend stating they were already working with security firms and law enforcement. The protocol made it clear that failure to comply with the deadline would result in escalated efforts to track and prosecute the attacker. To ensure the legitimacy of the communication, zkLend sent the message from their verified token deployer account and cross-referenced it with their official Twitter/X account.
This incident highlights several key aspects of current DeFi security infrastructure. The ability to track funds across different networks – from Starknet to Ethereum – demonstrates both the transparency of blockchain systems and the interconnected nature of modern DeFi protocols. When the attacker attempted to move funds through Railgun, the privacy protocol’s built-in security policies proved effective, showing how protocol-level security measures can function as intended.
The response timeline also reveals the current state of DeFi incident management. zkLend’s ability to quickly identify the attack, track the funds, and issue a verified on-chain communication shows how protocols have adapted to handle security breaches. The use of blockchain’s native features – such as sending authenticated messages through the token deployer account – provides a reliable way to communicate during security incidents.
The incident demonstrates the evolving relationship between DeFi protocols and law enforcement. zkLend’s immediate engagement with security firms and law enforcement agencies, combined with their bounty offer, shows a multi-layered approach to recovery efforts. This hybrid strategy – offering a bounty while simultaneously pursuing legal channels – reflects the current reality of DeFi security responses.
The $9.5 million zkLend exploit represents a significant security incident in the DeFi space, characterized by both traditional attack patterns and modern response mechanisms. The movement of funds across multiple networks and attempted use of privacy protocols demonstrates the complex nature of current DeFi security challenges. At the same time, the effectiveness of existing security measures, such as Railgun’s protective policies, shows how protocol-level safeguards can function as intended.
zkLend’s response to the incident – combining a public bounty offer with law enforcement engagement – illustrates the evolving nature of DeFi security practices. Their use of on-chain messaging for official communications, verified through their token deployer account, provides a model for transparent incident response in the blockchain space.
As this situation continues to unfold, with the deadline set for the attacker’s response, it serves as a case study in modern DeFi security practices. The incident highlights both the risks inherent in decentralized finance and the mechanisms available for protocols to respond to and potentially recover from security breaches.