1 day ago
The hacker down the $9.6 cardinal exploit of the decentralized money-lending protocol zkLend successful February claims they’ve conscionable fallen unfortunate to a phishing website impersonating Tornado Cash, resulting successful the nonaccomplishment of a important information of the stolen funds.
In a connection sent to zkLend done Etherscan connected March 31, the hacker claimed to person mislaid 2,930 Ether (ETH) from the stolen funds to a phishing website posing arsenic a front-end for Tornado Cash.
In a bid of March 31 transfers, the zkLend thief sent 100 Ether astatine a clip to an code named Tornado.Cash: Router, finishing with 3 deposits of 10 Ether.
“Hello, I tried to determination funds to a Tornado, but I utilized a phishing website, and each the funds person been lost. I americium devastated. I americium terribly atrocious for each the havoc and losses caused,” the hacker said.
The hacker down the zkLend exploit claims to person mislaid astir of the funds to a phishing website posing arsenic a front-end for Tornado Cash. Source: Etherscan
“All the 2,930 Eth person been taken by that tract owners. I bash not person coins. Please redirect your efforts towards those tract owners to spot if you tin retrieve immoderate of the money,” they added.
zkLend responded to the connection by asking the hacker to “Return each the funds near successful your wallets” to the zkLend wallet address. However, according to Etherscan, different 25 Ether was past sent to a wallet listed arsenic Chainflip1.
Earlier, different idiosyncratic warned the exploiter astir the error, telling them, “don’t celebrate,” due to the fact that each the funds were sent to the scam Tornado Cash URL.
“It is truthful devastating. Everything gone with 1 incorrect website,” the hacker replied.
Another idiosyncratic warned the zkLend exploiter astir the mistake, but it was excessively late. Source: Etherscan
How zkLend was exploited for $9.6 cardinal
zkLend suffered an bare marketplace exploit connected Feb. 11 erstwhile an attacker utilized a tiny deposit and flash loans to inflate the lending accumulator, according to the protocol’s Feb. 14 post-mortem.
The hacker past repeatedly deposited and withdrew funds, exploiting rounding errors that became important owed to the inflated accumulator.
The attacker bridged the stolen funds to Ethereum and aboriginal failed to launder them done Railgun aft protocol policies returned them to the archetypal address.
Following the exploit, zkLend projected the hacker could support 10% of the funds arsenic a bounty and offered to merchandise the culprit from ineligible liability and scrutiny from instrumentality enforcement if the remaining Ether was returned.
Related: DeFi protocol SIR.trading loses full $355K TVL successful ‘worst news’ possible
The connection deadline of Feb. 14 passed with nary nationalist effect from either party. In a Feb. 19 update to X, zkLend said it was present offering a $500,000 bounty for immoderate verifiable accusation that could pb to the hacker being arrested and the funds recovered.
Losses to crypto scams, exploits and hacks totaled implicit $33 million, according to blockchain information steadfast CertiK, but dropped to $28 cardinal aft decentralized speech aggregator 1inch successfully recovered its stolen funds.
Losses to crypto scams, exploits and hacks totaled nearly $1.53 cardinal successful February. The $1.4 cardinal Feb. 21 onslaught connected Bybit by North Korea’s Lazarus Group made up the lion’s stock and took the rubric for largest crypto hack ever, doubling the $650 cardinal Ronin span hack successful March 2022.
Magazine: Lazarus Group’s favourite exploit revealed — Crypto hacks analysis
English (US) 