The decentralized lending protocol ZkLend has fallen victim to a major security exploit, with blockchain security firm Cyvers estimating the losses at approximately $9.5 million. In an effort to recover the stolen funds, ZkLend has extended a 10% bounty offer to the attacker while assuring that no legal action will be taken if the assets are returned by the specified deadline.
Breach and Bounty Offer
On February 12, ZkLend confirmed the exploit and made a direct appeal to the hacker via its official X account. The protocol stated:
“We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C.”
The platform has set a deadline of 00:00 UTC on February 14, 2025, for the attacker to comply. Failure to return the assets will result in legal action and an intensified effort to track the stolen funds.
ZkLend emphasized the authenticity of its request, confirming that the message originated from its Ethereum ZEND token deployer account. Additionally, it urged users to verify the information through its official social media channels.
Immediate Security Measures
In response to the breach, ZkLend has suspended withdrawals and issued a warning against depositing funds or repaying loans until further notice. The protocol is working alongside blockchain security experts and law enforcement agencies to investigate the exploit.
A detailed report outlining the breach and the security measures taken will be released once the investigation concludes.
Stolen Funds and Movement
According to Cyvers, the stolen Ethereum (ETH) was initially bridged to the Ethereum network and then transferred via Railgun, a privacy-focused transaction service. However, due to Railgun’s internal policies, the funds were redirected to their original address, adding another layer of complexity to the hacker’s attempt to launder the stolen assets.
Crypto Sector Faces Continued Security Threats
This attack on ZkLend is part of a larger trend of rising cybercrime in the blockchain sector. Data from DeFiLlama reveals that over $100 million has already been stolen from various crypto projects in early 2025 alone. This follows the staggering $2.2 billion loss recorded across 303 hacking incidents in 2024.
As the crypto industry grapples with persistent security vulnerabilities, market analysts warn that 2025 could see continued financial losses unless enhanced security measures are implemented across DeFi platforms.
