The hacker who stole from a decentralized lending protocol on Starknet called zkLend back in February lost a significant portion of the stolen funds due to his own greed and short-sightedness. De facto, the thieves have robbed the thief (and this is not a April Fool’s joke).
It all started when a hacker found a vulnerability and actively exploited it during February 11. The attacker made small deposits and urgent loans to increase the credit accumulator. Then the hacker made several deposits and withdrawals using rounding errors (the larger the accumulator, the greater the error in favor of the user). At that point, the protocol lost about $9.6 million.
Later, the hacker converted all the stolen funds into Ethereum, but was unable to launder them through Railgun. After the exploit, zkLend offered the hacker to keep 10% of the funds as a reward and promised to release him from legal liability or inspections by law enforcement agencies. But the smart guy didn’t accept the offer. Instead, the smart guy decided to embezzle all the funds, but in the end, he was left with nothing.
The attacker tried to launder 2930 ETH worth about $5.5 million through the well-known Tornado Cash cryptomixer. But instead of using the original one, he sent his ETH to the phishing site tornadoeth[.]cash. And he successfully leaked his funds to other thieves, who confirmed and Lookonchain analysts.
Later, the hacker sent a message to zkLend, apologizing and saying that he had lost all the coins.
However, there is an assumption that this hacker and the owners of the phishing site may be related. Although there is no evidence of this yet.
Spelling error report
The following text will be sent to our editors: