Decentralized money lender zkLend suffered a breach where threat actors exploited a smart contract flaw to steal 3,600 Ethereum, worth $9.5 million at the time. According to the EthSecurity Telegram channel, the threat actors exploited a rounding error bug in zkLend's smart contract mint() function. "The attacker manipulated the "lending_accumulator" to be very large at 4.069297906051644020, then took advantage of the rounding error during ztoken mint() and withdraw() to repeatedly deposit 4.069297906051644021 wstETH getting 2 wei then withdraw 4.069297906051644020*1.5 -1 = 6.103946859077466029 wstETH to expend just 1 wei," reads a post to the EthSecurity channel. zkLend has now issued a message to the hacker stating that if they return 90% of the stolen Ethereum, which is 3,300 ETH, they can keep the other 10% and will not face any liability for the attack. zkLend is a decentralized money-market protocol built on Starknet, a Layer 2 scaling solution for Ethereum. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C," reads an on-chain message to the hacker. According to Cyvers, the threat actors attempted to launder the crypto through the RailGun privacy protocol but was blocked due to protocol policies. The crypto thieves have until February 13, at 7:00 PM EST, to return 90% of the stolen funds, after which zkLend will pursue legal action. Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. The attack took place yesterday afternoon, with zkLend warning on X they were suffering a cybersecurity incident. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 12 Feb 2025 23:10:14 +0000