SlowMist: zkLend attackers used the special mechanism of flash loans to withdraw funds through rounding loopholes to obtain assets beyond their expectations

Odaily News The leading lending platform zkLend on the Starknet chain was previously attacked and lost assets worth nearly 10 million US dollars. SlowMist analyzed that the core of this attack was that the attacker used the special mechanism in the flash loan to manipulate and amplify the value of the accumulator in the empty market, so that when withdrawing funds, he could use the rounding loophole to obtain assets beyond expectations. It is recommended that the project party design a reasonable and safe flash loan logic model, take into account the situation that affects the calculation of the number of deposit certificate tokens, and implement a safe rounding mechanism in mathematical operations to prevent precision loss. In addition, for core business logic involving deposits and withdrawals, audits and security tests should be strengthened to avoid similar situations.