zkLend: The Empty Market Accumulator Exploit (February 2025)
On February 12, 2025, zkLend, a major money market on Starknet, was exploited for approximately $9.6 million. The attack was technically sophisticated, involving an interaction between empty markets, interest rate accumulators, and precision rounding errors in a math library.
Technical Overview
zkLend (like many DeFi lending protocols) use an "accumulator" to track interest over time. This accumulator scales up as interest is earned. When a user deposits or withdraws, their principal is converted to "zTokens" (internal shares) by dividing or multiplying by this accumulator.
The vulnerability was rooted in how the protocol handled empty markets (markets with 0 total supply) and the specific division logic in its safeMath library during asset withdrawals.
Exploit Mechanism: Accumulator Manipulation & Rounding Error
The attacker executed the exploit in a single transaction pattern, repeated across multiple assets:
- Market Emptying: The attacker manipulated a specific market to reach a state where the
total_supplyof the underlying asset was nearly zero. - Flash Loan Integration: Using a flash loan, the attacker interacted with the empty market to trigger a specific update to the interest rate accumulator.
- Accumulator Amplification: In an empty market, certain arithmetic operations in the interest rate model could result in an abnormally high accumulator value if not properly bound.
- The Rounding Trap: During the withdrawal phase, the protocol calculated the number of zTokens (shares) to burn:
zTokensToBurn = amountToWithdraw / accumulator
- Precision Loss: Due to a rounding vulnerability in the
safeMathlibrary (using direct division instead of rounding up), the attacker was able to craft withdrawal amounts that resulted in zero zTokens being burned while still successfully withdrawing substantial underlying assets. - The Drain: By looping this process—withdrawing assets without reducing their internal share balance—the attacker effectively drained the protocol's liquidity.
Why This Matters (The "Starknet Era" Vulnerability)
This incident represents one of the first major technical exploits on Starknet and highlights that while Cairo (the language of Starknet) and its VM provide unique safety features, they do not automatically prevent classic mathematical logic errors. Furthermore, the attacker used a proxy EOA and elements of the EIP-7702 (proposed for Ethereum) patterns to orchestrate a complex flow, showing that cross-chain attacker patterns are evolving.
Mitigation Strategies
- Virtual Liquidity: Protocols should seed new or empty markets with a tiny amount of "virtual liquidity" (burnt shares) to prevent accumulator division-by-zero or extreme scaling issues.
- Rounding Direction Policy: Always round mathematical operations in favor of the protocol's solvency. For withdrawals, share requirements should always round up to ensure at least 1 unit of share is burned if value is taken.
- Accumulator Guardrails: Implement hard caps on how much an interest rate accumulator can change within a single block or transaction.
- Library Audits: Core math libraries (like SafeMath implementations in Cairo) must be rigorously formally verified for edge cases like precision underflow.
Conclusion
The zkLend exploit is a definitive lesson in the dangers of empty market state. It demonstrates that the most secure protocol can be broken by a single rounding decision in a low-level math library. For security researchers, it emphasizes the importance of testing "boundary conditions"—states where supplies are zero or near-zero and variables reach extreme values.