zkLend Hacked – $8.5M Stolen, Company offers 10% whitehat Bounty to Attacker

zkLend, a prominent decentralized finance (DeFi) protocol built on Ethereum’s Layer-2 zk-rollup technology, has fallen victim to a major security breach resulting in the theft of approximately 3,300 ETH, valued at around $8.5 million at current market prices. 

Unexpectedly, zkLend has publicly contacted the attacker, offering a 10% whitehat bounty—equivalent to 330 ETH ($850,000)—in exchange for the safe return of the remaining funds.

The company issued an official statement via its Ethereum ZEND token deployer account and confirmed its authenticity through its verified Twitter/X account.

The company has also set a deadline for the attacker: if 00:00 UTC receives no response on February 14, 2025, zkLend will escalate the matter by working with law enforcement and blockchain security firms to track and prosecute the individual(s) responsible.

The exploit occurred early on February 12, 2025, and targeted zkLend’s smart contracts deployed on Ethereum’s zk-rollup Layer-2 network. 

While specific technical details of the vulnerability have not yet been disclosed, blockchain analysts suggest that the attacker exploited a flaw in one of zkLend’s smart contract functions. The exploit allowed unauthorized withdrawals of user funds from zkLend’s liquidity pools.

The stolen funds were quickly consolidated into a single wallet controlled by the attacker. The transaction hash for one of the key transfers is 0xe04a7954d440906344f3f5b4c65b358625af2d393bc88942d6f46636e4080067, which can be verified on Etherscan.

zkLend’s Response

In an effort to mitigate further damage and recover user funds, zkLend has opted for a white hat negotiation strategy—a common approach in DeFi hacks where protocols attempt to appeal to attackers’ ethical side by offering them a portion of the stolen funds as a bounty in exchange for returning the rest.

The company has emphasized that this offer is legally binding and has been communicated transparently through its official channels. 

The Ethereum address provided for returning funds—0xCf31e1b97790afD681723fA1398c5eAd9f69B98C—is linked directly to zkLend’s operations.

In addition to negotiating with the hacker, zkLend is collaborating with leading blockchain forensic firms and law enforcement agencies to track down the perpetrator in case negotiations fail. 

The company has reassured users that it is taking all necessary steps to secure its platform and prevent future incidents.

This incident highlights ongoing vulnerabilities in DeFi protocols despite advancements in smart contract auditing and security practices. 

zkLend’s decision to offer a whitehat bounty reflects a growing trend in the DeFi space, where companies prioritize fund recovery over immediate legal action against attackers. 

However, this approach is not without risks it can incentivize further attacks if hackers believe they can negotiate favorable terms after exploiting vulnerabilities.

As the February 14 deadline approaches, all eyes are on whether the attacker will accept zkLend’s offer or face potential legal consequences. Meanwhile, users are urged to exercise caution when interacting with DeFi platforms and ensure they are aware of associated risks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post zkLend Hacked – $8.5M Stolen, Company offers 10% whitehat Bounty to Attacker appeared first on Cyber Security News.