DeFi Lending Protocol zkLend Shuts Down After $9.5M Exploit, Token Delisting
The exploit, caused by a rounding error vulnerability in one of zkLend’s smart contracts, siphoned off millions in user funds and marked the beginning of a rapid unraveling for the project. Despite attempts to negotiate with the attacker, including a proposed 10% bounty offer, zkLend was unable to recover the stolen funds.
zkLend, a once-promising decentralized finance (DeFi) lending platform on StarkNet, is shutting down after a series of devastating setbacks, most notably a $9.5 million exploit in February 2025 and the subsequent delisting of its native token, Zend, from major centralized exchanges like Bybit and KuCoin.
“It is with a heavy heart that we announce our decision to wind down zkLend,” the protocol’s team stated in a message posted on Wednesday.
Dear zkLend Community,
It is with a heavy heart that we announce our decision to wind down zkLend.
This decision was not made lightly. Over recent months, the exploit we suffered has deeply eroded user confidence, and furthermore, the recent removal of ZEND from major exchanges…
The exploit, caused by a rounding error vulnerability in one of zkLend’s smart contracts, siphoned off millions in user funds and marked the beginning of a rapid unraveling for the project. Despite attempts to negotiate with the attacker, including a proposed 10% bounty offer, zkLend was unable to recover the stolen funds. In an unexpected twist, the attacker later claimed to have fallen victim to a Tornado Cash scam, compounding the platform’s woes.
In the aftermath, privacy protocol Railgun publicly refused to facilitate the laundering of the stolen assets, a rare show of ethics in a space often criticized for opacity. Yet even this principled stand could not rescue zkLend from its downward spiral.
At its peak, zkLend boasted a total value locked (TVL) of nearly $56 billion, making it one of the flagship DeFi money market platforms on StarkNet. Its collapse underscores a broader crisis in the DeFi sector, which has already seen over $2 billion stolen by hackers and exploiters in 2025 alone — a nearly 50% jump from the previous year, according to DeFiLlama.
DeFi’s harsh reality has shown little mercy to struggling protocols. In March, Conic Finance also shuttered after being hit twice by exploits. Others, like Alpaca Finance, folded not due to hacks, but because of lackluster adoption and product-market fit.
zkLend’s remaining treasury, estimated at around $200,000, will be used to support affected users. The platform’s frontend will remain operational to allow asset withdrawals, but no further development is planned.
Editorial Note:This news article has been written with assistance from AI. Edited & fact-checked by the Editorial Team.
Harshajit Sarmah is a Web3 and crypto journalist with over 8 years of experience covering blockchain, cryptocurrency, and AI. He is the founder and editor of Crypto India Magazine (CIM) and NARRATIVE.
Trezor has launched native stablecoin yield inside Trezor Suite through a Morpho integration, letting users earn on USDC and USDT on Ethereum. Every deposit and withdrawal is signed on-device, with no lockups and instant exits.
OxPay Financial's subsidiary Oxygen7 received a full Financial Services Licence from Bhutan's Gelephu Financial Services Office on April 29, 2026, clearing the way for a regulated crypto payments and stablecoin remittance platform targeting GMC's tourism and B2B sectors.
At Money20/20 Asia 2026 in Bangkok, the lines between traditional finance and DeFi continued to blur. From J.P. Morgan’s blockchain scale to EMURGO’s self custody push, the event revealed a clear shift toward interoperable, user controlled financial systems.