DeFi lending protocol, hit by a $9.5m hack months ago, waves the white flag

First, zkLend lost $9.5 million to a malicious exploit in February.

Then Railgun, a privacy protocol, refused to launder the proceeds for the exploiter before losing the funds to a Tornado Cash scam.

Now, four months later, zkLend is calling it quits.

“It is with a heavy heart that we announce our decision to wind down zkLend,” the team announced on Wednesday.

Delisting

The DeFi lending protocol blamed the exploit and also the delisting of its native Zend token from major exchanges like Bybit and KuCoin for its predicament.

ZkLend becomes the latest entrant to drop out of DeFi’s Darwinian race. If there was ever a time when a protocol could survive a hack or exploit, it appears to have ended.

Conic Finance, for instance, shut down in March after suffering losses from malicious exploits on two occasions.

To be sure, there are exceptions. Alpaca Finance was undone by the cold arithmetic of obsolescence and a failure to achieve a sufficient product-market fit rather than a hack.

The losses are piling up.

Hackers, exploiters, and other malicious actors have stolen more than $2 billion from crypto projects in 2025, according to DefiLlama. That’s an almost 50% increase from the whole of last year.

In its heyday, zkLend held almost $56 billion in investor funds as a money market protocol on the StarkNet blockchain.

Rounding error

But it lost $9.5 million when an attacker exploited a rounding error vulnerability in one of its smart contracts. The attack bore similarities to other rounding error exploits suffered by DeFi protocols like EraLend.

The zkLend team tried to negotiate with the exploiter to return the syphoned funds in exchange for a 10% bounty. Those proceedings became moot when the attacker reported the loss of the funds to an apparent Tornado Cash scam.

ZkLend said it has only about $200,000 left in its treasury, which will be used to support affected users. The protocol’s frontend will also remain open for users to withdraw their assets.

Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. Got a tip? Please contact him at osato@dlnews.com.