Source: Cointelegraph Original: "{title}"
The website led to the loss of most of the stolen funds. The hacker sent a message to zkLend via Etherscan on March 31, stating that 2,930 ETH (approximately $5.4 million) in stolen funds had been consumed by a phishing site.
On-chain records show that on the same day, the hacker transferred funds in multiple transactions to an address named "Tornado.Cash: Router," initially operating in increments of 100 ETH, and finally transferring three separate amounts of 10 ETH each. "I intended to transfer funds through Tornado, but I accidentally entered a phishing site, resulting in the loss of all my assets. I feel utterly hopeless and deeply apologize for the chaos and loss caused," the hacker wrote in the message.
The hacker behind the zkLend vulnerability claimed that most of the funds were stolen by a phishing site impersonating the Tornado Cash frontend. Source: Etherscan
The hacker added, "All 2,930 ETH were taken by that phishing site. I am now broke. Please do your utmost to track down the website operators; perhaps some funds can still be recovered."
In response, zkLend officials demanded that the hacker "return all remaining funds in the wallet" to the project address. However, Etherscan data shows that the hacker subsequently transferred 25 ETH to a wallet labeled Chainflip1.
In fact, during the hacker's transfer period, a user had already issued a warning on-chain: "Don't celebrate too early," pointing out that all funds were flowing into a fraudulent Tornado Cash website. The hacker replied in frustration, "I'm so devastated. Just because I clicked the wrong website, everything is gone."
Another user warned zkLend vulnerability users, but it was too late. Source: Etherscan
How zkLend fell victim to a $9.6 million vulnerability attack
According to a post-mortem analysis report released by the protocol on February 14, zkLend suffered an "empty market vulnerability attack" on February 11. The attacker artificially inflated the value of the lending accumulator by depositing a small amount of funds and utilizing flash loans.
The hacker then profited by repeatedly depositing and withdrawing funds, exploiting a significant rounding error vulnerability caused by the inflation of the accumulator.
The stolen funds were cross-chain transferred to the Ethereum network, but the attempt to launder the money through Railgun failed due to protocol policy restrictions, resulting in the funds being returned to the original address.
After the attack, zkLend proposed that the hacker could keep 10% of the funds as a bounty for the vulnerability and promised to absolve them of legal liability and investigations by law enforcement if the remaining ETH was returned.
The deadline of February 14 has passed, and neither party has made a public response. In an update released on the X platform on February 19, zkLend stated that it would offer a $500,000 bounty for any verifiable information leading to the hacker's capture or the recovery of funds.
According to data from blockchain security company CertiK, losses in the cryptocurrency sector due to scams, exploits, and hacking attacks have exceeded $33 million, but this figure was reduced to $28 million after the decentralized exchange aggregator 1inch successfully recovered stolen funds.
In February, total losses in the cryptocurrency sector due to scams, exploits, and hacking attacks approached $1.53 billion. Among them, the North Korean Lazarus Group's $1.4 billion attack on Bybit on February 21 accounted for the majority, becoming the largest cryptocurrency hacking incident in history, double the $650 million stolen in the Ronin Bridge case in March 2022.
Related: Paradigm: North Korean cryptocurrency attack methods are becoming increasingly sophisticated, with a growing number of attackers.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
