Decentralized cash lender zkLend suffered a breach the place risk actors exploited a wise contract flaw to steal 3,600 Ethereum, value $9.5 million on the time.
zkLend is a decentralized money-market protocol constructed on Starknet, a Layer 2 scaling answer for Ethereum. It permits customers to deposit, borrow, and lend numerous property.
The assault befell yesterday afternoon, with zkLend warning on X they have been struggling a cybersecurity incident.
In response to the EthSecurity Telegram channel, the risk actors exploited a rounding error bug in zkLend’s good contract mint() perform.
“The attacker manipulated the “lending_accumulator” to be very massive at 4.069297906051644020, then took benefit of the rounding error throughout ztoken mint() and withdraw() to repeatedly deposit 4.069297906051644021 wstETH getting 2 wei then withdraw 4.069297906051644020*1.5 -1 = 6.103946859077466029 wstETH to expend simply 1 wei,” reads a submit to the EthSecurity channel.
Starkware, who developed the Starknet community, confirmed that the vulnerability was not a part of Starknet expertise however slightly an application-specific bug.
In response to Cyvers, the risk actors tried to launder the crypto via the RailGun privateness protocol however was blocked attributable to protocol insurance policies.
zkLend has now issued a message to the hacker stating that in the event that they return 90% of the stolen Ethereum, which is 3,300 ETH, they’ll preserve the opposite 10% and won’t face any legal responsibility for the assault.
“We perceive that you’re answerable for in the present day’s assault on zkLend. It’s possible you’ll preserve 10% of the funds as a whitehat bounty, and ship again the remaining 90%, or 3,300 ETH to be precise, to this Ethereum handle: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C,” reads an on-chain message to the hacker.
“Upon receiving the switch, we comply with launch from any and all legal responsibility relating to the assault.”
“We’re working with safety companies and legislation enforcement at this stage. If we don’t hear from you by 00:00 UTC, 14th Feb 2025, we are going to proceed with the following steps to trace and prosecute you.”
The crypto thieves have till February 13, at 7:00 PM EST, to return 90% of the stolen funds, after which zkLend will pursue authorized motion.
There has not been any response from the hacker, which is normally the case in these conditions. No risk actors have been attributed to the assault.