zkLend

We are aware of the ongoing security incident on zkLend. The team is now investigating and will provide an update when possible. Thank you for your patience.

2. Users who staked directly with the zkLend validator through Voyager or Endurfi must manually unstake or change delegation to other validators. No exit queue applies in this case.

The following exceptions apply: 1. kSTRK not yet claimed from the Recovery Portal: once claimed, users will need to unstake and wait 21 days before redeeming to STRK. The staking portal will remain available for another 6 months.

An update on kSTRK unstaking & withdrawals The 21-day unstaking process has been completed, and most kSTRK holders can now withdraw their STRK from the zkLend staking portal.

Dear zkLend Community, It is with a heavy heart that we announce our decision to wind down zkLend. This decision was not made lightly. Over recent months, the exploit we suffered has deeply eroded user confidence, and furthermore, the recent removal of ZEND from major exchanges such as Bybit and KuCoin has further constrained token liquidity and accessibility. This development significantly limits our capacity to effectively allocate toward any new initiatives. Given these circumstances, we believe that using the remainder of our treasury —$200,000—towards supporting affected users through the recovery fund is a more responsible and meaningful use of resources than relaunching our money markets and continuing development. To support our community during this process: 1. The DeFi Spring, recovery, and kSTRK portal will remain live and accessible for users to unstake or to claim. 2. We continue to engage zeroShadow for their expertise in tracking down lost funds. Any recovery from these efforts will be directed towards the user recovery fund. 3. We’re open-sourcing our audited and refreshed codebase for any interested parties for further development. This will be made available in the following few weeks. We will continue to remain online and committed to the recovery of stolen funds through any means necessary. We want to sincerely thank every one of you for your support and trust throughout this journey. We have been proud to be part of Starknet’s journey from its early beginnings and to witness its growth and evolution firsthand. With gratitude and resolve, The zkLend Team

STRK staking v2 migration is now complete. Users can continue to stake STRK and mint kSTRK, as well as redeem as usual via zkLend.

Last night, the exploiter of zkLend tried to use Tornado Cash to mix 2930 ETH of the stolen funds and interacted with a known Tornado Cash phising website tornadoeth[.]cash, thereby losing the funds to another party. x.com/tornadocashbot… This website appears to have operating over 5 years. At this stage, security teams do not have conclusive evidence that the phshing website and the exploiter are connected. As a precaution, we have included these new wallet addresses from the phshing website into our fund tracing efforts. Source: x.com/evilcos/status… Since last night, there have been significant movements of funds from the exploiter’s controlled wallet addresses. Both security and zkLend team were monitoring in real time, while liaising with CEX and authorities in parallel. We will continue our efforts to track down these funds.

Recovery Pool Update A small amount of recently vested ZEND has been added to the recovery pool. Check your eligibility under ‘Ongoing Recovery’: recovery.zklend.com/claim Stay safe—only interact with our official channels.

Donate to zkLend Recovery: Donation page is live now for individuals, institutions, and ecosystem partners to support our community’s recovery. All donations will go to the affected users via the Recovery Fund. We are grateful for your contributions to rebuilding zkLend and strengthening the Starknet community! recovery.zklend.com/donation Reminder: Always interact with our verified channels—beware of fake accounts.

Recovery Portal is now live: recovery.zklend.com Please be vigilant—Always interact with our official channels and verify communications through our verified socials.

To our users, The Recovery Portal will go live tomorrow, March 05, 2025, at 06:00 UTC. Recovery rates are now final, and you will be able to access your claims directly through the portal by connecting with your affected wallets. Thank you for your continued patience. medium.com/zklend/zklend-…

It has come to our attention that there have been phishing attempts by impersonating zkLend accounts online. Please do not engage and only refer to the official zkLend website and app link - the official recovery portal is expected to be available by the end of the week.

To our users, Deposits in unaffected pools are expected to receive a full return of funds, and deposits in the affected pools will receive a partial return of funds along with a claim position to zkLend recovery pool. We will begin the withdrawal process in 2 weeks after the recovery claim portal has been audited. Thank you for your continued patience. medium.com/zklend/zklend-…

Update: We are offering a $500,000 bounty for any verifiable information that leads to the arrest of the hacker and the recovery of all stolen funds. If you believe you have information on the hacker’s identity, please provide evidence and contact us at info@zklend.com. etherscan.io/tx/0xfb63396c9…

zkLend Security Incident Post Mortem. To our users, Starting on 11th of February, zkLend suffered an attack resulting in the loss of around $9.6 million USD in funds. We would like to thank our users and partners for their patience and trust in this difficult time. In addition to initial analysis and continuous transparent updates on all our channels, this post mortem serves as a brief report on the progress so far. Post mortem: drive.google.com/file/d/10i1dh_…

To our users, As the exploiter did not contact us by the deadline, the zkLend team is pursuing legal action, which may be a prolonged process. To ensure transparency, we filed an incident report with Hong Kong Police Force, the FBI, and Homeland Security to commence investigation. Our investigation indicates that the hacker has been linked to prior attacks on other DeFi protocols. We have been monitoring fund flows and identified multiple relevant wallet addresses. We have shared this information with CEXes, who are taking appropriate actions within their purview. Concurrently, we are preparing a post-mortem report with our security team, detailing the attack and its underlying causes. We will announce a recovery and fund release plan next week. Our priority is to minimize the impact on our users and partners, and handle this situation fairly and transparently for everyone involved. We appreciate your patience as we work to resolve this matter as quickly as possible. We sincerely apologize again to our users and all those affected by this incident.

We’ve identified impersonator accounts falsely claiming to be zkLend. Please note our official X handle is @zkLend. We never DM first or request actions outside our verified socials. As of writing, we have not asked users to click links. Always verify communications through our official channels.

To our users: We are actively tracking the funds and pursuing the identification of the hacker, in collaboration with @StarkWareLtd, the @StarknetFndn, @zeroshadow_io (formerly @chainalysis Incident Response), Binance Security Team, and @HypernativeLabs. We are committed to full transparency and will share a comprehensive post-mortem analysis as soon as it is completed. We understand that this is a challenging time for our community, and your trust remains our highest priority. We appreciate your patience and support as we work diligently to resolve this issue.

To the hacker: We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C. Upon receiving the transfer, we agree to release from any and all liability regarding the attack. We are working with security firms and law enforcement at this stage. If we do not hear from you by 00:00 UTC, 14th Feb 2025, we will proceed with the next steps to track and prosecute you. This message is binding. It’s sent from the Ethereum ZEND token deployer account. Its authenticity can be verified by cross-checking with zkLend’s Twitter/X account. etherscan.io/tx/0xe04a7954d…