The Starknet-based lending protocol zkLend suffered a devastating security breach in February 2025, losing approximately $9.57 million in digital assets after an attacker exploited a subtle decimal precision vulnerability in the platform’s smart contract code. The incident, which sent shockwaves through the Layer 2 DeFi ecosystem, highlights the persistent risks that even audited protocols face when handling complex mathematical operations across different token decimal configurations.
The Exploit Mechanics
The attacker targeted a critical flaw in how zkLend’s accumulator system handled decimal precision across different token types. Starknet, unlike Ethereum’s EVM, uses a Cairo programming model with its own arithmetic rules, and the vulnerability emerged from the interaction between token decimals and the protocol’s interest rate accumulator calculations. The exploit allowed the attacker to manipulate the accumulator to artificially inflate their collateral value while deflating their debt, creating a massive arbitrage opportunity that drained the protocol’s liquidity pools.
Specifically, the attacker used a flash loan to amplify their position, then triggered the decimal precision mismatch to withdraw significantly more value than they had deposited. The attack was executed in a single transaction, making it impossible for the protocol’s monitoring systems to intervene before the damage was done. With Bitcoin trading around $95,500 and Ethereum near $2,670 at the time, the stolen assets represented a substantial loss for the protocol’s users.
Affected Systems
The exploit directly impacted zkLend’s lending pools on Starknet, with multiple token markets affected including major stablecoins and wrapped assets. The protocol was forced to pause all operations immediately after detecting the breach. zkLend’s native ZEND token also experienced significant downward pressure as news of the exploit spread across social media and crypto news outlets.
The broader Starknet DeFi ecosystem felt the impact as well, with total value locked across the network dropping as users rushed to withdraw funds from other protocols out of caution. The incident raised uncomfortable questions about the maturity of Cairo-based smart contract development and whether existing audit practices adequately cover the unique risks of Starknet’s execution environment.
The Mitigation Strategy
zkLend’s response team acted swiftly to contain the damage. The protocol offered a 10% white hat bounty to the attacker, urging them to return the stolen funds. The team also engaged multiple blockchain security firms, including SlowMist and BlockSec, to conduct a thorough post-mortem analysis. Their findings confirmed that the decimal precision vulnerability was the root cause, with the exploit bearing similarities to the earlier EraLend hack on the same network.
For the broader ecosystem, the incident underscored the need for specialized audit tools that can detect decimal precision issues in Cairo smart contracts. Standard EVM-focused audit methodologies may not catch these types of vulnerabilities, creating a dangerous blind spot for protocols building on Starknet and similar non-EVM chains.
Lessons Learned
The zkLend exploit serves as a stark reminder that decimal handling remains one of the most treacherous areas of smart contract development. Even small discrepancies in how tokens with different decimal places interact within lending protocols can create exploitable conditions. Development teams must implement rigorous testing specifically for decimal edge cases, including fuzzing with extreme values and formal verification of mathematical operations.
The incident also highlights the importance of layered security approaches. While audits are essential, protocols should complement them with real-time monitoring systems that can detect anomalous accumulator behavior, circuit breakers that pause operations when unusual withdrawal patterns emerge, and insurance mechanisms that can compensate users in the event of a successful exploit.
User Action Required
Users who had funds deposited in zkLend should monitor the protocol’s official communication channels for updates on the recovery process and any potential compensation plans. For users of other Starknet DeFi protocols, this incident serves as a reminder to evaluate the security measures in place, particularly around decimal handling and accumulator mechanisms. Diversifying across multiple protocols and chains remains one of the most effective strategies for minimizing the impact of any single exploit.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any DeFi protocol.
decimal precision bugs keep happening because auditors know Solidity inside out but barely understand Cairo. L2 security is only as strong as the audit quality
9.57M gone in minutes. That’s not just bug money, that’s entire startup funding vaporized.
startup funding vaporized in one transaction. and Starknet audits somehow missed basic decimal math. Cairo is a different beast from Solidity
cairo audits are still in their infancy compared to solidity. the tooling just isnt there yet for catching these edge cases
Mira Novak the tooling gap between Cairo and Solidity is massive. Echidna and Slither dont even have proper Cairo equivalents yet
decimal precision on starknet lol. nobody ever learns these basic math errors cost millions
Been through worse exploits. The real question is: how long until they patch this and do people come back?
sarah K people came back after bigger exploits on ethereum mainnet. question is whether starknet defi TVL ever recovers to levels where this matters
flash loan to amplify a decimal precision exploit is clean execution. one transaction, 9.57M gone. the accumulator design was the weak link