SlowMist Identifies SafeMath Library In Market Contract As Core Cause Of zkLend’s $9.5M Exploit
In Brief
SlowMist has identified a critical vulnerability at the core of the recent zkLend attack, attributing the issue to the implementation of the SafeMath library within the market contract.
Blockchain security firm SlowMist has disclosed that its security team identified a critical vulnerability at the core of the recent attack on zkLend, a Layer 2 money market protocol built on Starknet. The firm attributes the issue to the implementation of the safeMath library within the market contract.
According to SlowMist, the vulnerability arises from the way division calculations are handled. The contract performs direct division operations, leading to a rounding-down vulnerability when determining the precise amount of zTokens that must be burned during withdrawal operation. This flaw creates an opportunity for attackers to exploit the discrepancy and gain unauthorized benefits.
In response to the findings, SlowMist has advised zkLend users to remain vigilant about the security of their assets. The firm recommends temporarily refraining from conducting deposit-related transactions on the platform to mitigate the risk of potential financial losses.
zkLend experienced a $9.5 million exploit on the Starknet network earlier today. In response, withdrawals on the protocol have been paused, and zkLend reached out to the hacker, offering them a “white hat” reward of 10% of the stolen funds while requesting the return of the remaining 90%, which amounts to 3,300 ETH, approximately $8.4 million.
In a statement shared on social media platform X, zkLend said, “Upon receiving the transfer, we agree to release you from any and all liability regarding the attack. We are working with security firms and law enforcement at this stage. If we do not hear from you by 00:00 UTC, 14th Feb 2025, we will proceed with the next steps to track and prosecute you.”
Real-time security alert platform Cyvers Alerts reported that the stolen funds were bridged to Ethereum and laundered through the privacy-focused protocol Railgun.
What Is zkLend?
zkLend aims to provide a user-friendly, secure, and efficient money-market platform tailored to meet users’ liquidity needs. The protocol is a permissionless lending market designed primarily for retail users, allowing them to deposit and borrow digital assets directly through their wallets at any time. Depositors can earn yields based on the interest paid by borrowers who utilize the deposited assets. Additionally, users can leverage their deposited assets as collateral to borrow other digital assets.
The project raised $5 million in a seed funding round in 2022, with Delphi Digital leading the investment and Three Arrows Capital and StarkWare also participating.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
