- DeFi platform zkLend has offered a hacker 10% of stolen funds as whitehat bounty
- zkLend lost close to $10 million to the hacker
- The DeFi platform has promised “to release [him] from any and all liability” if he accepts the bounty
DeFi platform zkLend has offered a 10% whitehat bounty to a hacker who stole close to $10 million and promised to “release [him] from […] all liability.” The offer remains viable until February 14 after which zkLend will involve on-chain sleuths and law enforcement agencies to unmask and arrest the malicious actor. zkLend is already tracking the funds and “pursuing the identification of the hacker” with the help of the Binance security team and other blockchain security experts, something that increases the chances of unmasking his identity and freezing the funds.
Stolen Funds Deposited to Railgun
The zkLend hack was first reported by blockchain security firm Cyvers which placed the amount stolen at $9.5 million. Cyvers said the funds were bridged to the Ethereum blockchain from the Starknet network and later deposited to Railgun, a privacy protocol.
🚨ALERT🚨@zkLend has suffered a $9.5M exploit on the Starknet network. Stolen funds were bridged to #Ethereum and laundered via #Railgun, but due to protocol policies, the funds were returned to the original address by #Railgun!
Deposit to #Railgun:… https://t.co/0muIH2TArY— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) February 12, 2025
The hack forced the DeFi platform to temporarily halt withdrawals and asked users to “refrain from depositing or repaying” loans as it investigates the incident. In an on-chain message, zkLend asked the attacker to return 3,300 ETH or $8.6 million and keep the rest as his pay.
To the hacker:
We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C.
Upon… pic.twitter.com/piEVPDHZd4
— zkLend (@zkLend) February 12, 2025
zkLend is yet to receive a response from the attacker more than a day after sending the message.
Some Hackers Keep the Loot
The bounty offer and a threat to involve law enforcement agencies aren’t a guarantee that the attacker will return the funds. Some crypto hackers opt to keep the loot despite being identified and taken to court.
Avraham Eisenberg, the Mango Markets hacker, for example, said he’ll keep stolen funds and requested the court to set him free because the government “failed to prove” manipulation claims. Other crypto platforms like Shezmu, however, have in the past recovered stolen funds after successfully negotiating with attackers.
With zkLend offering a bounty and threatening to take legal action, it’s to be seen whether the attacker will return the funds.
