zkLend, a decentralized lending protocol on Starknet, announced on June 25, 2025, that it is winding down all operations after suffering a $9.5 million exploit in February that severely damaged user confidence. The protocol stated it will use its remaining $200,000 treasury to support affected users through a dedicated recovery fund.
The February 12 exploit took advantage of a precision rounding flaw in zkLend's smart contracts allowing an attacker to drain approximately 3,300 ETH. These funds were bridged to Ethereum and routed through the privacy tool Railgun. Despite a 10% white hat bounty offer, the hacker did not return the funds initially but later unintentionally lost 2,930 ETH to a phishing site impersonating Tornado Cash. The attacker publicly admitted the loss and expressed remorse.
The post-breach environment worsened when zkLend’s native token, ZEND, was delisted from major exchanges Bybit and KuCoin, sharply reducing liquidity and trading options. This made it unfeasible for zkLend to raise fresh capital or pursue new initiatives. As a result, the team has decided against relaunching the protocol.
Key zkLend portals including DeFi Spring, Recovery, and kSTRK remain operational to allow users to unstake assets or claim balances. The team has engaged blockchain forensics firm zeroShadow to trace any stolen assets and pledged to redirect recovered funds to the user recovery pool.
zkLend also plans to publish its audited and refreshed codebase as open source to enable developers to build on its framework. The shutdown marks the end of zkLend’s four-year run on Starknet, shifting focus from protocol development towards compensating users impacted by the breach.
This shutdown adds to the growing number of DeFi platforms impacted by security exploits in 2025. Security firm CertiK reported a steep rise in crypto hacks, with $364 million stolen in April alone.