Starknet’s zkLend Suffers $9.5M Exploit, Funds Laundered and Returned via Railgun Protocol
In a wake-up call in the decentralized finance (DeFi) space, zkLend, a decentralized lending platform that operates on the Starknet network, was exploited for $9.5 million.
The weekend exploit was a big security hit for the platform, resulting in stolen funds that were supposed to be untraceable. However, in an unexpected twist, the stolen assets were returned, thanks to a feature of Railgun, the privacy-focused protocol that played a part in laundering the funds.
The Attack on zkLend
A decentralized lending and borrowing protocol called zkLend, built on Starknet, has received a lot of attention for its novel approach to this service. Unfortunately, that reputation took a big hit when the system had a vulnerability exploited by a hacker who made away with about $9.5 million worth of crypto assets. After the funds were stolen, the hacker then bridged the assets to the Ethereum network and laundered the funds using a privacy tool called Railgun.
The identity of the attacker is still unknown. They sent the stolen funds to a deposit address associated with Railgun. The transaction was recorded on the blockchain. It shows the stolen funds being bridged from Starknet to Ethereum in just a few minutes. Known for providing privacy, Railgun offers obfuscation, which is what the attacker needed.
Funds Laundered via Railgun, but Protocol’s Policies Lead to Recovery
A privacy-enhancing protocol called Railgun allows users to conduct transactions without exposing the intricate details of their funds. The Railgun protocol was used by the attacker to obfuscate the funds stolen from zkLend. From zkLend’s address, the stolen assets were sent to a Railgun address, which had the peculiar feature of being effectively linked to the attacker’s wallet. From there, the stolen funds were sent on a journey through several transactions that made the funds difficult to trace.
The unexpected turning point in this case was the privacy policies of Railgun. These policies, which were designed to keep any bad actors from using Railgun as a cover for their activities and to maintain the anonymity of any legitimate users, pretty much cleared the way for Railgun to monitor any transaction it needed to. And it used that power to make sure the funds that had been stolen in this incident were returned to the people from whom they had been stolen.
The funds were tracked to the first deposit address from which the attacker attempted to move the assets. In a remarkable turn of events, Railgun’s policies allowed the return of the $9.5 million to the same address, essentially undoing the laundering process. The hacker lost the oversight fight and had to give up the returned stolen funds. Peer-to-peer privacy protocols are not an excuse for allowing crime to go unpunished.
zkLend’s Response and the Whitehat Bounty Offer
After the exploit, zkLend’s team moved quickly to limit the damage and recover the stolen assets. They appealed to the attacker—whom they presumed was still online—to return the funds by posting a public message on the blockchain. “We are offering a 10% whitehat bounty for the return of the stolen assets,” read the message enticing the attacker to part with 3,300 ETH (approximately $8.6 million). The promise of a 10% return for the act of returning the stolen assets is much more palatable for the team than the prospect of trying to track down and recover the stolen assets through more traditional means.
The whitehat bounty is an interesting move by zkLend to encourage hackers to return funds they have stolen—without facing legal consequences. Although the platform has not said whether it will pursue legal action, offering a bounty is a common tactic in the DeFi space to promote post-attack ethical behavior. This situation highlights the growing trend of “whitehat” incentives, which reward those who report (or return) vulnerabilities and stolen assets. These incentives seek to avoid pursuing punitive measures, which, in this field, often result in lengthy court cases.
zkLend’s reply reflects a realistic approach to dealing with the exploit, since offering a bounty not only allows for the possible return of stolen assets but also builds goodwill within the wider crypto ecosystem. The DeFi sector is reeling from this incident but also reminds us just how effective community-driven, protocol-level solutions can be, as in the case of Railgun resolving this particular issue.
A Breach with Silver Lining
The $9.5 million exploit hitting zkLend has dealt the project and the DeFi community a significant blow. But the unexpected return of the stolen funds makes a key point about the privacy protocols that live on top of the blockchain and ensures the integrity of that very blockchain. What happened with the return of the stolen $9.5 million also serves to remind us of the landscape of DeFi security, which appears to be ever-evolving, with new protocols and features constantly being added to address vulnerabilities and mitigate risks.
🚨ALERT🚨@zkLend has suffered a $9.5M exploit on the Starknet network. Stolen funds were bridged to #Ethereum and laundered via #Railgun, but due to protocol policies, the funds were returned to the original address by #Railgun!
Deposit to #Railgun:… https://t.co/0muIH2TArY— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 12, 2025
That the assets were returned at all is a very positive outcome. It’s a rare case where stolen funds are returned in the decentralized finance realm, where such funds often seem to vanish completely. We don’t know how the return was negotiated, and it raises interesting questions about the use of privacy protocols for good, way beyond their original intent.
The exploit that occurred at zkLend and in the larger DeFi community now offers a chance to learn. The quick retrieval of the stolen funds, along with zkLend’s prompt whitehat bounty offer, could suggest a model for how other DeFi protocols can deal with situations like this one and might help to contain a future incident’s effect on a supposedly permissionless and trustless ecosystem.
Disclosure: This is not trading or investment advice. Always do your research before buying any Metaverse crypto coins.
