Altcoins Talks - Cryptocurrency Forum
Crypto Discussion Forum => Cryptocurrency discussions => Topic started by: examplens on February 16, 2025, 05:05:58 PM
-
A few days ago, the zkLend, a decentralized finance lending protocol on Starknet announced losses due to the hacking of their platform. First, they asked the hacker to return 90% of the withdrawn funds, 10% as a reward for that and not start the process against them.
To the hacker:
We understand that you are responsible for today’s attack on zkLend. You may keep 10% of the funds as a whitehat bounty, and send back the remaining 90%, or 3,300 ETH to be exact, to this Ethereum address: 0xCf31e1b97790afD681723fA1398c5eAd9f69B98C.
https://x.com/zkLend/status/1889515118368829559
They did not accept it, so some kind of further investigation will probably follow.
However, is it a hack or how to characterize when someone takes advantage of flaws in the system?
Yesterday they published the "zkLend security incident post-mortem (https://medium.com/zklend/zklend-security-incident-post-mortem-27d9abaf66f6)". In short, what happened?
The attack exploited interest manipulation and rounding errors during withdrawals in two steps:
Hacker* deposited the minimum amount into an empty pool and used quick loan "donations" to artificially inflate the accumulator. By making frequent withdrawals and deposits, he abused rounding, which allowed him to withdraw more than he had.
A small initial deposit allowed for the manipulation of the basic budget, and quick loan "donations" artificially inflated the interest accumulator.
Rounding during withdrawals allowed for smooth withdrawals of excess funds.
-
Exploiting security vulnerabilities is another definition of hacking as it is simply gaining access to someone without obtaining the appropriate permissions.
Whitehat bounty should be before stealing coins and exploiting the vulnerability then they can claim 10% but after the hacking occurs such deals may encourage more hackers to steal customers' money and get 10% without legal problems.
anyway another decentralized finance hacked ;D
-
After the 10 flash loan transactions, the lending accumulator grew from the initial value of 1.0 into 4069297906051644020.0.
Who wrote that garbage where something like this is possible?
A simple limit where total accumulator can't get past the maximum loan would have prevented this.
That’s why in most lending protocols, user balances are not stored directly in face values.
Oh, what a surprise, we knew that for years but god forbid you tell your users these tiny details until they get burned.
-
Right, another one protocol getting exploited ;D How people quickly forget what happened to the previous 'decentralized' platforms. Ever since the flash loans attacks, users should have been more cautious with these 'decentralized' lending. Goodluck chasing the hacker.
-
I forgot to add, the total amount of losses they admitted.
Or in aggregate:
2213.638314603870948591 ETH
1553069.487238 USDC
7426029.991485769316032807 STRK
518225.710536 USDT
Who wrote that garbage where something like this is possible?
A simple limit where total accumulator can't get past the maximum loan would have prevented this.
Their official announcement. ???
One of the reasons why I thought it would be better if they just admitted the hack, without explaining the failure on the platform.
-
Who wrote that garbage where something like this is possible?
A simple limit where total accumulator can't get past the maximum loan would have prevented this.
Their official announcement. ???
One of the reasons why I thought it would be better if they just admitted the hack, without explaining the failure on the platform.
Well, yeah, I was saying who wrote the code where this possible rounding up is perpetual and is not updating with every single balance, the thing is idiotic, you can't allow rounding up to go over a unit of measure, that's a thing banks have solved before there was internet and we had faxes and telegraph messages.
Either way, "decentralized" platform, so, if you lost money on that, who do you go after?