zkLend Shuts Down After $9.5 Million Exploit and Token Delisting, Exposing DeFi Fragility

On June 25, 2025, zkLend, a decentralized lending protocol built on Starknet, announced the cessation of its operations, marking the end of its brief but ambitious run in the DeFi ecosystem.

The decision follows a devastating $9.5 million exploit in February 2025, which severely undermined user confidence, coupled with the delisting of its native ZEND token from major exchanges like Bybit and KuCoin. These events crippled the protocol’s liquidity and made a relaunch unfeasible.

According to zkLend team, the remaining $200,000 in its treasury will be redirected to a user recovery fund to support those affected by the hack. The protocol will maintain its DeFi Spring, recovery, and kSTRK portals to allow users to unstake assets or claim balances, while continuing to work with blockchain forensics firm zeroShadow to track stolen funds.

Additionally, zkLend plans to open-source its audited codebase in the coming weeks, enabling other developers to build upon its infrastructure. “We will continue to remain online and committed to the recovery of stolen funds through any means necessary,” the team stated in its announcement. The shutdown highlights the persistent security challenges facing DeFi protocols and the fragility of user trust in the wake of exploits.

zkLend’s Journey: From Ambitious Beginnings to Critical Setbacks

Launched in late 2023 on Starknet, zkLend aimed to combine zero-knowledge rollup scalability with Ethereum’s security to deliver non-custodial lending and borrowing through yield-optimized money markets.

The project gained early traction with a $5 million seed funding round in March 2022, led by Delphi Digital and supported by investors like StarkWare, Three Arrows Capital, and Alameda Research.

The funding was earmarked for launching Artemis, a permissionless lending platform for DeFi users, and Apollo, a compliance-focused solution for institutional clients. At its peak, zkLend managed nearly $56 billion in total value locked, ranking among the top five DeFi projects on Starknet.

However, February 2025 exploit exposed a decimal precision vulnerability in its smart contracts, allowing an attacker to drain $9.5 million. The attacker later lost 2,930 ETH (approximately $5.4 million) to a phishing site impersonating Tornado Cash, an ironic twist confirmed by SlowMist.

Despite offering a 10% white-hat bounty and collaborating with security firms like Cyvers and StarkWare, zkLend struggled to recover user trust. The subsequent delisting of ZEND from major exchanges further eroded liquidity, sealing the project’s fate.

The Fragility of DeFi: Hacks, Exploits, and Project Closures

zkLend’s closure is part of a broader wave of challenges in the DeFi sector, with crypto hacks and exploits resulting in losses exceeding $2 billion industry-wide — a sharp 50% increase compared to 2024. This surge is driven primarily by a rise in access control attacks, which accounted for over 80% of thefts in the first quarter alone. High-profile incidents, including the $1.4 billion Bybit exchange hack linked to North Korean threat actors, highlight the growing sophistication and frequency of these attacks.

Several DeFi projects, particularly lending protocols and related platforms, have faced shutdowns since May 2025, reflecting the sector’s vulnerability to security breaches and market pressures. Below are four notable examples:

Infini Card Shutdown: On June 17, 2025, Infini Card, a crypto-based payment and lending service, announced the termination of its Global, Lite, and Tech card services, offering refunds for affected users’ card fees. While the exact reasons remain undisclosed, market speculation points to regulatory pressures and declining user adoption, particularly as DeFi lending platforms face stricter compliance requirements.

EraLend Shutdown: EraLend, a lending protocol on the zkSync blockchain, ceased operations in May 2025 following a $3.4 million exploit in late 2024. Similar to zkLend, EraLend suffered from a rounding error vulnerability in its smart contracts, which eroded user trust and led to significant withdrawals. The protocol’s native token was delisted from exchanges, and the team announced a shutdown, redirecting remaining funds to user compensation.

These shutdowns underscore the critical need for robust security measures, rigorous smart contract audits, and adaptive strategies to navigate regulatory landscapes. The DeFi sector’s ongoing challenges highlight the importance of community trust and resilience to sustain decentralized finance’s growth.