zkLend hacker claims losing stolen ETH to Tornado Cash phishing site

How zkLend was exploited for $9.6 million

zkLend suffered an empty market exploit on Feb. 11 when an attacker used a small deposit and flash loans to inflate the lending accumulator, according to the protocols Feb. 14 post-mortem.

The hacker then repeatedly deposited and withdrew funds, exploiting rounding errors that became significant due to the inflated accumulator.

The attacker bridged the stolen funds to Ethereum and later failed to launder them through Railgun after protocol policies returned them to the original address.

Following the exploit, zkLend proposed the hacker could keep 10% of the funds as a bounty and offered to release the culprit from legal liability and scrutiny from law enforcement if the remaining Ether was returned.

The offer deadline of Feb. 14 passed with no public response from either party. In a Feb. 19 update to X, zkLend said it was now offering a $500,000 bounty for any verifiable information that could lead to the hacker being arrested and the funds recovered.

Losses to crypto scams, exploits and hacks totaled over $33 million in March, according to blockchain security firm CertiK, but dropped to $28 million after decentralized exchange aggregator 1inch successfully recovered its stolen funds.

Losses to crypto scams, exploits and hacks totaled nearly $1.53 billion in February. The $1.4 billion Feb. 21 attack on Bybit by North Korea‘s Lazarus Group made up the lion’s share and took the title for largest crypto hack ever, doubling the $650 million Ronin bridge hack in March 2022.