zkLend: Empty market accumulator inflation via flash loan donation mechanism + rounding error → collateral inflation → drain
zkLend lost $9.57M on Starknet when an attacker combined three harmless-looking design details — an empty market, a flash loan donation mechanism, and integer rounding — to inflate their collateral balance from 1 to over 7,000 wstETH and drain multiple lending pools.
Summary #
zkLend suffered a Lending / Money Market (Starknet) on 2025-02-11, resulting in a loss of approximately $10M.
What happened #
zkLend lost $9.57M on Starknet when an attacker combined three harmless-looking design details — an empty market, a flash loan donation mechanism, and integer rounding — to inflate their collateral balance from 1 to over 7,000 wstETH and drain multiple lending pools.
Linked factors #
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Partially — wstETH market was newly added to Starknet; the combination of new empty market + existing accumulator logic created the exploit ...] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Partially — wstETH market was newly added to Starknet; the combination of new empty market + existing accumulator logic created the exploit ...]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Partially — wstETH market was newly added to Starknet; the combination of new empty market + existing accumulator logic created the exploit ...]