Authors | Doublenine, Lisa
Editor | Liz
Background
According to intelligence from the SlowMist Security Team, on February 12, 2025, the leading lending platform on Starknet, zkLend, suffered an attack that resulted in nearly $10 million in asset losses. The SlowMist Security Team analyzed the incident and shared the results as follows:
Relevant Information
- Attacker Address: https://starkscan.co/contract/0x04d7191dc8eac499bac710dd368706e3ce76c9945da52535de770d06ce7d3b26
- Vulnerable Market Contract Address: https://starkscan.co/contract/0x04c0a5193d58f74fbace4b74dcf65481e734ed1714121bdc571da345540efa05
- One of the Attack Transactions: https://starkscan.co/tx/0x0160a5841b3e99679691294d1f18904c557b28f7d5fe61577e75c8931f34a16f
Root Cause
The root cause of this exploit lies in the ability to manipulate and amplify the value of the accumulator in an empty market using a unique mechanism within flash loans. Additionally, the market contract employed the SafeMath library for division operations, which directly divides values. This allowed attackers to exploit the amplified accumulator to cause rounding-down vulnerabilities for profit.
Attack Steps Analysis
Preparatory Steps Before the Attack
- The attacker first called the
depositfunction of the market contract, depositing 1 wei of thewstETHtoken into the contract.
It can be observed that the wstETH token market was in an empty state, where both the amount of wstETH held by the market contract and the minted amount of zwstETH were zero prior to this deposit. This allowed the attacker to manipulate the next steps at a minimal cost.
At this stage, the lending_accumulator value in the wstETH market was 1e27.
Transaction Hash: https://voyager.online/tx/0x039b6587b9d545cfde7c0f6646085ab0c39cc34e15c665613c30f148b569687
2. Next, the attacker called the flash_loan function of the market contract, borrowing 1 wei of wstETH and repaying 1,000 wei of wstETH.
After the flash loan, the lending_accumulator value in the wstETH market increased to 8.51e29, an amplification of 851 times compared to its previous value.
Transaction Hash: https://voyager.online/tx/0x039b6587b9d545cfde7c0f6646085ab0c39cc34e15c665613c30f148b569687c
So, what caused such a significant amplification of the lending_accumulator value? Let’s look into the flash_loan function in the market contract:
After the user repaid the flash loan, a function named settle_extra_reserve_balance was called.
This function mainly allocates the contract’s extra funds to depositors. The allocation method involves calculating a new lending_accumulator based on the contract’s extra funds and updating the market data for the corresponding asset token. The simplified calculation formula is as follows:
(reserve_balance + totaldebt - amount_to_treasury) * 1e27 / ztoken_supplySince the market was in an empty state previously:
reserve_balanceequals the flash loan repayment amount (1,000 wei),total_debtis 0,amount_to_treasuryis calculated as 149 wei,- and the
zwstETHsupply equals 1 wei (minted during the prior deposit operation).
The final calculated value for the updated lending_accumulator was 8.51e29.
From the historical transaction records, it was observed that the attacker performed multiple identical flash loan operations, quickly amplifying the lending_accumulator value in the wstETH market by repaying increasing amounts of tokens each time.
Eventually, the lending_accumulator was amplified to an extremely large value of 4.069e45.
Formal Attack
Transaction Hash: https://voyager.online/tx/0x0160a5841b3e99679691294d1f18904c557b28f7d5fe61577e75c8931f34a16f
- When another user deposited into the
wstETHmarket, the attacker began the formal attack. First, the attacker called thedepositfunction, depositing approximately 4.069wstETHinto the contract.
2. Then, the attacker called the withdraw function, withdrawing approximately 6.1039 wstETH.
3. By repeating the above steps, the attacker ultimately stole approximately 61 wstETH from the market.
Why did the attacker deposit only 4.069 wstETH but manage to withdraw 6.103 wstETH?
Following the deposit function, when the user transfers the asset token wstETH, the system externally calls the zToken contract to mint the corresponding amount of zwstETH tokens for the user.
The actual amount of zwstETH the user receives is calculated based on the amount of asset tokens transferred and the market's lending_accumulator:
Let’s follow up on the safe_decimal_math library used in the calculation:
The formula for calculating the actual amount of zwstETH received is:
zToken_amount = amount * 1e27 / lending_accumulatorWhere amount is 4069297906051644021 and the lending_accumulator, manipulated by the attacker, is 4069297906051644020000000000000000000000000000. The final calculated amount of zwstETH obtained is 1.
When the user calls the withdraw function to withdraw 6.103 wstETH, the system calls the burn function of the zToken contract to burn the previously obtained zwstETH.
In the burn function of the zToken contract, the calculation method for the actual amount of zwstETH to be burned is the same as during minting:
Here, the amount passed in is 6103946859077466029. However, since the div function in the safe_math library performs division with truncation, the decimal part of the result is discarded. Additionally, because the lending_accumulator was previously amplified by the attacker, the final calculated amount of zwstETH to be burned, due to rounding down, is also equal to 1. This exactly matches the amount of zwstETH initially obtained during the deposit.
6103946859077466029 * 1e27 / 4069297906051644020000000000000000000000000000 = 1Thus, the logic for burning zwstETH tokens during withdrawal passes successfully, which is why the attacker can deposit only 4.069 wstETH but withdraw 6.103 wstETH.
Under normal market conditions, the value of the lending_accumulator should have a precision of 1e27. When dividing, the numerator is several orders of magnitude larger than the denominator, so the result is not affected.
MistTrack Analysis
According to on-chain tracking tool MistTrack, the attacker stole approximately $9.5 million from zkLend. They then converted the stolen tokens into ETH and used cross-chain bridges such as LayerSwap, Orbiter Bridge, Rhino.fi, and StarkGate ETH Bridge to transfer the funds across various networks. Most of the funds were bridged to the following Ethereum addresses:
- 0xcd1c290198e12c4c1809271e683572fbf977bb63
- 0x0b7d061d91018aab823a755020e625ffe8b93074
- 0x645c77833833A6654F7EdaA977eBEaBc680a9109
Among them, the address 0x645c77833833A6654F7EdaA977eBEaBc680a9109 has a significant transaction history, with the first recorded transaction dating back to June 22, 2024.
This address has interactions with Binance on Ethereum, BSC, and Base networks, suggesting it might be a third-party trading platform nested with Binance account interfaces. Additionally, it has records of interactions with ChangeNOW and Hitbtc on the Ethereum network.
Further analysis of the attacker’s related address on Starknet: 0x04d7191dc8eac499bac710dd368706e3ce76c9945da52535de770d06ce7d3b26 reveals a strong correlation with the following L1 addresses before the attack:
- 0xd95b3c1e638ce3cdc070ad6d4f385c61e2ee8662
- 0x93920786e0fda8496248c4447e2e082da69b6c40
- 0x34e5dc779cb705200e951239b6a89aaf5c7dbfc1
According to MistTrack’s extended analysis, the addresses 0x93920786e0fda8496248c4447e2e082da69b6c40 and 0x34e5dc779cb705200e951239b6a89aaf5c7dbfc1 are linked to the attacker addresses from the EraLend hack on July 25, 2023. Additionally, according to intelligence from the SlowMist InMist Lab, 0x93920786e0fda8496248c4447e2e082da69b6c40 was used by the attacker to receive stolen funds from the EraLend hack.
At that time, EraLend suffered a loss of approximately $2.76 million. The attacker similarly used multiple bridges to spread the stolen funds across various chains and wallets.
In summary, the zkLend and EraLend attacks are carried out by the same attacker.
Conclusion
The core of this attack lies in the attacker exploiting a unique mechanism in the flash loan process, manipulating and amplifying the accumulator value in an empty market. This allowed them to exploit a rounding error to obtain more assets than expected during withdrawal.
The SlowMist security team recommends that project teams design a robust and secure flash loan logic model, taking into account scenarios affecting the calculation of deposit receipt tokens. Additionally, secure rounding mechanisms should be implemented in mathematical operations to prevent precision loss. For core business logic involving deposits and withdrawals, enhanced audits and security testing should be performed to avoid similar incidents.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
