USDzkLend Hacker's $9.5M Heist Thwarted by Privacy Protocol Loophole
Starknet Lending Protocol Faces Unprecedented Collapse
zkLend, a decentralized lending platform on Starknet, suffered a severe security breach on February 12, 2025, resulting in financial losses ranging between $4.9 million and $9.5 million. The attack exploited a vulnerability in the protocol’s smart contracts, allowing the hacker to drain significant assets.
The stolen funds were swiftly moved to Ethereum and funneled through Railgun, a privacy-enhancing transaction protocol designed to obfuscate fund origins. However, in a dramatic turn of events, Railgun’s internal security mechanisms unexpectedly forced the illicit funds to return to the hacker’s original address, derailing the laundering attempt.
The breach delivered a devastating blow to zkLend’s financial health, triggering a catastrophic 90% plunge in its Total Value Locked (TVL). Before the exploit, zkLend boasted a TVL of nearly $12 million. In the immediate aftermath, that figure plummeted to just $1.1 million, marking zkLend as the worst-performing decentralized application (dApp) with at least $10,000 in TVL.
The lending platform witnessed mass withdrawals, with $6 million worth of ETH, $1.8 million in USDC, and $1.7 million in STRK exiting its ecosystem. The shockwave extended to other Starknet-based lending protocols, including Nostra and Vesu, which sustained losses of $10 million and $3 million, respectively.
In an attempt to recover its losses, zkLend responded by freezing all withdrawal operations and advising users against depositing or repaying loans. The team made an unusual appeal to the hacker, offering a whitehat bounty deal: if the attacker returned 90% of the stolen funds—amounting to approximately 3,300 ETH worth $8.8 million—they would be allowed to keep the remaining 10% without facing legal consequences.
zkLend issued an on-chain message stating that compliance with the terms would absolve the hacker of any liability. The deadline for returning the funds was set for February 14, 2025, at 00:00 UTC, with a warning that failure to comply would lead to legal action and law enforcement involvement.
Railgun, a zero-knowledge proof (ZKP)-based privacy pool, typically allows users to deposit and withdraw funds without revealing transaction details. Transactions undergo a mandatory verification process, which screens deposits for potential ties to criminal activity.
The hacker’s attempt to use Railgun to launder funds was thwarted when the protocol’s automated system flagged the deposit as suspicious. As a result, the only permitted withdrawal route was back to the original wallet, effectively neutralizing the laundering scheme. This unexpected safeguard inadvertently turned Railgun into a roadblock for the attacker, rather than a tool for anonymity.
Ethereum co-founder Vitalik Buterin weighed in on the incident, emphasizing the importance of Railgun’s privacy pools in preventing illicit financial activity. He pointed out that while privacy-focused protocols are essential for legitimate users, they must also implement safeguards to prevent criminals from exploiting anonymity features.
Railgun’s filtering mechanism ensures that flagged deposits can only be withdrawn to their original source, making it ineffective for money laundering. Buterin acknowledged that developers who disagree with Railgun’s built-in protections can create alternative privacy pools with different validation mechanisms, though he cautioned that such pools would provide weaker anonymity without widespread adoption.
Despite a 44% decline in crypto-related hacks in January 2025 compared to the same period in 2024, cybercriminals still managed to steal $73 million in the first month of the year alone. In 2024, a staggering $2.3 billion was lost in 165 separate attacks, reflecting a 40% increase from the $1.69 billion stolen in 2023.
Security analysts attribute DeFi’s persistent vulnerabilities to the intricate nature of smart contracts and the risks posed by cross-chain bridging. Experts have suggested several potential countermeasures, including off-chain transaction validation, which could prevent nearly 99% of breaches, alongside enhanced smart contract security audits and stricter privacy protocol mechanisms akin to Railgun’s safeguards.
Past incidents indicate that public scrutiny and pressure from blockchain investigators can influence hackers to return stolen funds. In May 2024, an attacker refunded $71 million in stolen Ether following a wallet poisoning scam, reportedly due to mounting external pressure.
This article has been refined and enhanced by ChatGPT.
