On April 11, 2024, Zest Protocol — the first lending and borrowing protocol built on the Stacks network, a Bitcoin Layer 2 — suffered a significant smart contract exploit that resulted in the loss of approximately 322,000 STX tokens, equivalent to roughly $1 million at the time. The attack targeted Zest Protocol’s Borrow module on the very day the protocol launched to the public, marking one of the earliest documented attacks on Bitcoin DeFi infrastructure. With Bitcoin trading near $70,060 and the broader crypto market cap hovering around $2.64 trillion, the incident sent a clear warning about the security challenges facing emerging Bitcoin DeFi protocols.
The Exploit Mechanics
The attacker exploited a vulnerability in how Zest Protocol’s Clarity smart contracts handled collateral valuation. Central to the attack was the manipulation of the collateral list — an essential data structure that determines a borrower’s capacity based on their pledged assets. By duplicating values within this list, the attacker tricked the smart contract into overvaluing their collateral position.
The exploit was executed through five sequential borrow calls, each containing a repeating asset list. In each call, the duplicated collateral entries caused the contract to calculate a total collateral value far exceeding the actual pledged amount. This discrepancy enabled the attacker to borrow substantially more than what should have been permitted, ultimately draining 322,000 STX from the protocol’s liquidity pools. The transactions were recorded on-chain, with the attacker using multiple accounts to orchestrate the sequence of actions.
Affected Systems
Zest Protocol operates on the Stacks blockchain, which settles transactions on the Bitcoin network. The protocol offered lending and borrowing markets for assets including STX and stSTX (stacked STX). Critically, stSTX — the largest TVL asset held by Zest Protocol — was not configured as borrowable, which limited the attack surface. The aeUSDC pool also remained untouched by the attacker. Only the STX lending pool was affected by the exploit.
The protocol had undergone a full smart contract audit prior to launch and had been running two bug bounty programs in parallel — more than any other protocol on Stacks at the time. A phased rollout with limited debt ceilings and restricted user access was in effect, yet the vulnerability in the collateral list handling was not identified during the audit process.
The Mitigation Strategy
Upon detecting the exploit, the Zest Protocol team immediately paused all smart contracts. User positions were frozen to prevent further losses, and the team confirmed that stSTX funds were unaffected since that asset was not borrowable. The 322,000 STX removed by the attacker was reimbursed from the Zest Protocol treasury, ensuring that user balances remained intact.
The team also initiated a full re-audit of the smart contracts, engaging auditors to complete a comprehensive review at the earliest possible date. In parallel, the team pursued legal action against the attacker, identifying a Binance withdrawal address that could potentially reveal the attacker’s identity through exchange KYC records.
Lessons Learned
The Zest Protocol exploit underscores several critical lessons for the emerging Bitcoin DeFi ecosystem. First, the Clarity smart contract language — while designed for security and predictability — had never been battle-tested in a production lending environment with real assets prior to Zest Protocol’s launch. Routine lending operations in Clarity represented entirely new territory. Second, collateral list validation must include explicit deduplication checks to prevent this class of attack. Third, the phased rollout approach with limited debt ceilings proved its worth — the attack was contained to a relatively small amount rather than risking the protocol’s entire TVL.
For the broader DeFi community, the incident serves as a reminder that even audited contracts can harbor subtle logic flaws. The collateral list manipulation was not a straightforward overflow or reentrancy bug but rather a business logic vulnerability that required deep understanding of the protocol’s lending mechanics.
User Action Required
Users who had funds in Zest Protocol at the time of the exploit should verify their balances through the Stacks explorer. The Zest Protocol team confirmed that user balances remain intact and that the treasury has covered the stolen STX. When the protocol reopens after the re-audit, users should expect enhanced security measures and potentially new asset listings. For DeFi users across all platforms, this incident reinforces the importance of understanding a protocol’s collateral management logic and the value of phased rollouts with limited exposure.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before interacting with any DeFi protocol.
322k STX gone on launch day. brutal. collateral list duplication is such a basic vulnerability, how did nobody catch this in audit?
Five sequential borrow calls and not a single circuit breaker triggered. Thats the real problem here, not the exploit itself.
^ exactly. the fact that it was day-one makes it worse. who audits for Stacks/Clarity anyway? the tooling is so immature compared to Solidity
stacks oracle nailed it. clarity smart contract auditing tooling is years behind solidity. bitcoin DeFi is going to have more of these growing pains
Natasha five borrow calls and no circuit breaker. basic risk controls missing on launch day is negligence, not an exploit
322k STX lost because of a list duplication bug. not even a novel attack vector, just sloppy contract code. stacks needs better dev tooling asap
rocketfuel is spot on. list duplication is like SQL injection level basic. stacks needs formal verification tooling, not just community audits
bitcoin DeFi is going to have a steep learning curve. the security model is fundamentally different from EVM chains