zkLend shuts down amid exploit fallout and delistings, remaining $200k redirected to users

Lending protocol zkLend stated in a June 25 post on X that it will wind down its operations and direct its remaining $200,000 treasury to a fund for users affected by a February security breach. 

The team said the exploit “deeply eroded user confidence” and ZEND’s delisting from Bybit and KuCoin amplified the negative sentiment causing a significant decline in the capital and liquidity needed for new products.

Liquidity squeeze and decision to quit

While zkLend assessed recovery options, Bybit and KuCoin removed the ZEND token from their spot markets, sharply reducing trading depth and cutting off a path to raise fresh liquidity. 

The team said these constraints made a relaunch unrealistic. Instead, zkLend will keep its DeFi Spring, recovery, and kSTRK portals online, allowing users to unstake assets or claim balances. 

It also retained security outfit zeroShadow to trace any remaining stolen coins, pledging to route future recoveries to the user fund.

zkLend plans to publish its refreshed, audited codebase as open-source “in the coming weeks” for any developer who wants to build on the framework. The team added that it will “remain online and committed to the recovery of stolen funds through any means necessary,” but will not restart its money-market operations.

The decision marks the end of zkLend’s four-year run on Starknet and formalizes the shift from rebuilding the protocol to compensating users through the recovery pool.

Exploit drained 3,300 ETH

On Feb.12, an attacker used a precision rounding flaw in zkLend’s Starknet contracts to drain about 3,300 ETH, worth roughly $9.5 million at the time. The exploiter bridged the assets to Ethereum and routed them through the privacy tool Railgun. 

zkLend offered the exploiter a 10% bounty if 90% of the funds were returned by February 14, warning that it would pursue legal action if the deadline passed. The funds never came back, and the protocol halted withdrawals while it worked with security firm Cyvers, law enforcement agencies, and on-chain investigators.

The investigation produced an unexpected twist on April 1 when zkLend reported that the attacker lost 2,930 ETH to a phishing site impersonating Tornado Cash. 

Blockchain analytics firm Lookonchain confirmed the loss, and the attacker sent an on-chain message admitting the mistake, stating he lost all the funds. He added: “I’m devastated and sorry.” 

The breach left users locked out of their deposits, and the protocol’s reputation suffered as a result.

The post zkLend shuts down amid exploit fallout and delistings, remaining $200k redirected to users appeared first on CryptoSlate.