zkLend Collapse: $200K User Refund After Exploit Chaos and Exchange Purge
Another DeFi domino falls as zkLend pulls the plug—victim of an exploit and sudden exchange delistings. The silver lining? Users claw back $200K from the wreckage.
When code fails, who pays? zkLend's collapse exposes DeFi's recurring nightmare: protocol exploits triggering death spirals. This time, at least retail gets scraps from the table.
The refund move smells like crisis PR—$200K won't cover the trauma of watching your assets evaporate. But in crypto's wild west, even pocket change counts as customer protection.
Liquidity squeeze and decision to quit
While zkLend assessed recovery options, Bybit and KuCoin removed the ZEND token from their spot markets, sharply reducing trading depth and cutting off a path to raise fresh liquidity.
The team said these constraints made a relaunch unrealistic. Instead, zkLend will keep its DeFi Spring, recovery, and kSTRK portals online, allowing users to unstake assets or claim balances.
It also retained security outfit zeroShadow to trace any remaining stolen coins, pledging to route future recoveries to the user fund.
zkLend plans to publish its refreshed, audited codebase as open-source “in the coming weeks” for any developer who wants to build on the framework. The team added that it will “remain online and committed to the recovery of stolen funds through any means necessary,” but will not restart its money-market operations.
The decision marks the end of zkLend’s four-year run on Starknet and formalizes the shift from rebuilding the protocol to compensating users through the recovery pool.
Exploit drained 3,300 ETH
On Feb.12, an attacker used a precision rounding flaw in zkLend’s Starknet contracts to drain about 3,300 ETH,. The exploiter bridged the assets to ethereum and routed them through the privacy tool Railgun.
zkLend offered the exploiter a 10% bounty if 90% of the funds were returned by February 14, warning that it WOULD pursue legal action if the deadline passed. The funds never came back, and the protocol halted withdrawals while it worked with security firm Cyvers, law enforcement agencies, and on-chain investigators.
The investigation produced an unexpected twist on April 1 when zkLend reported that the attacker lost 2,930 ETH to a.
Blockchain analytics firm Lookonchain confirmed the loss, and the attacker sent an on-chain message admitting the mistake, stating he lost all the funds. He added: “I’m devastated and sorry.”
The breach left users locked out of their deposits, and the protocol’s reputation suffered as a result.
