TL;DR
- zkLend officially shut down after losing $9.5 million in a hack and seeing its ZEND token delisted from exchanges like Bybit and KuCoin.
- The protocol will allocate its remaining $200,000 treasury to a recovery fund for affected users and open-source its audited code for the DeFi community.
- The hacker lost $5.4 million after sending the stolen funds to a phishing site. zkLend is still offering a $500,000 bounty for information leading to their capture.
zkLend, a decentralized lending protocol built on Starknet, confirmed the permanent shutdown of its operations after a hack in February that drained $9.5 million from the platform.
The decision came after months of struggling to restore user confidence and following the delisting of its ZEND token from exchanges such as Bybit and KuCoin, which crushed liquidity and left no room for new initiatives or a relaunch.
zkLend to Open-Source Its Code
The team announced it will use the remaining $200,000 in its treasury to set up a recovery fund for affected users. It also kept some services active, including the recovery portal and tools like DeFi Spring and kSTRK, where users can withdraw assets or claim outstanding balances.
In parallel, zkLend will open-source its audited codebase, aiming to let other developers study or reuse the infrastructure even after the shutdown. The goal is to keep some of the work done by the team available for the DeFi ecosystem.
The Hacker Claims to Have Lost the Funds
Since the attack, zkLend worked with blockchain investigation firm zeroShadow to trace the stolen funds. Part of the money was bridged to Ethereum, passed through Railgun, and — due to an operational error by the attacker — returned to the original address. However, a large portion was lost when the hacker, believing they were using Tornado Cash, sent the funds to a phishing site.
In March, the attacker left an on-chain message admitting the mistake and asking zkLend to redirect recovery efforts toward the phishing site operators. Despite this, zkLend maintains a $500,000 bounty for verifiable information leading to the hacker’s identification and capture.
The shutdown of zkLend adds to a growing list of incidents in the DeFi ecosystem. In April alone, over $364 million was stolen, mostly through phishing scams.
