• Claim

Name

A zkLend exploit on February 12, 2025, allowed an attacker to steal $9.5 million in ETH, which they attempted to launder through Railgun. Railgun’s Private Proofs of Innocence flagged the funds, preventing them from being anonymized.

Types

Claim

Quotes that support claims

However, unlike most so-called “mixers,” Railgun has implemented a system called “Private Proofs of Innocence” designed to block illicit funds from entering the privacy pool. When deposited into Railgun, tokens are automatically screened against a list of known malicious addresses. If found to have a suspicious provenance, the tokens will not be allowed to enter the protocol’s privacy set and can only be withdrawn to the original address. It appears that is precisely what happened on Railgun. On Feb. 12, an attacker began exploiting an unknown “rounding error bug” on the Starknet-based money-market protocol zkLend that allowed him to withdraw 3,600 ETH (worth around $9.5 million at the time). After inflating his balance by repeatedly depositing and withdrawing wstETH by manipulating the “lending_accumulator,” the attacker bridged his assets to the Ethereum mainchain and moved them to Railgun. Because all of this so far was visible onchain, the zKLend team contacted the hacker in an attempt to get him to send back the majority of the funds and keep 10% as a “white hat” reward. “We are actively tracking the funds and pursuing the identification of the hacker, in collaboration with @StarkWareLtd, the @StarknetFndn, @zeroshadow_io (formerly @chainalysis Incident Response), Binance Security Team, and @HypernativeLabs,” the team posted.

Referenced by

Summary

Crypto news

Data block