Written by: rekt
Translated by: Glendon, Techub News
Ten months of silence can cover up a lot of bad debts.
On February 23, 2025, the LBTC market on the Base chain was cleared out by ZeroLend—just 18 days after Ionic Money collapsed due to the same fake collateral scam. However, the protocol never mentioned a word about it. When users launched a fierce attack on Discord regarding the withdrawal freeze issue, the administrators blamed it on "high usage" and "maintenance"—until the end of 2025, when torakapa revealed the truth.
The truth is: the treasury was empty, and almost no one mentioned this theft.
At that time, a wallet borrowed 3.92 LBTC in three transactions within 45 minutes, transferring profits across chains via Across Protocol, but ultimately left behind worthless PT-LBTC collateral. This debt token still lies on the chain, like a receipt that no one is willing to acknowledge.
The GitHub commit history had stagnated since last September. The token had disappeared from exchange listing, and the team may have abandoned their Discord and Twitter accounts. With $3 million in seed round financing, claiming to be the largest L2, LRT, RWA, and BTCFi lending market, the Twitter profile was filled with names from the security industry, and a founder listed on LinkedIn as "managing assets over $200 million"—yet, when ZeroLend collapsed, no one noticed?
When a protocol is attacked and then pretends nothing happened for ten months, who is really pulling the strings behind the scenes— the hacker who emptied the treasury, or the team that kept the deposit button functioning?
The Sequence of Events
A single tweet was enough to break this carefully crafted silence.
At the end of 2025, torakapa dropped a bombshell: "There was never any user interface issue. Zerelend is lying; they were attacked on February 23, 2025. The hacker provided PT-LBTC and manipulated the price, borrowing 4.4421 LBTC."
The address attached to that tweet tells a story that ZeroLend might never want to make public.
Attacker address: 0x218C572b1Ab6065D74bEbcB708a3f523D14F7719; the token holdings of this wallet on Basescan read like a confession.
ZeroLend zk Variable Debt LBTC: 3.92307607—ZeroLend's variable debt token, proving an unpaid loan that has accumulated nearly a year of interest. ZeroLend PT Lombard LBTC 29 MAY2025: 10.9955337—Pendle principal token, used to extract actual LBTC from the protocol as "collateral." The date in the token name marks its expiration date—at which point PT holders can redeem the underlying asset. Before that, it trades at a discount, making it an enticing but high-risk collateral option.
On February 23, 2025, the attack proceeded methodically.
Attacker address (Base): 0x218C572b1Ab6065D74bEbcB708a3f523D14F7719
Attacker address (Arbitrum): 0x218C572b1Ab6065D74bEbcB708a3f523D14F7719
Attacker address (Ethereum): 0x218C572b1Ab6065D74bEbcB708a3f523D14F7719
Funds from the Arbitrum and Base wallets were transferred via the Across protocol bridge, with PT-LBTC deposited as collateral into ZeroLend's liquidity pool, then withdrawals began. The attacker’s wallet attacked the protocol three times within 45 minutes. They "borrowed" about 3.923 LBTC (worth approximately $371,000 at the time), but never repaid.
First attack—borrowed 0.95324998 LBTC: 0xdf1c69feb8e63c70f874cdff22bba7c53eb42a5245e9695713e850966c54ce2a
Second attack—borrowed 1.47687998 LBTC: 0x47fbcdc986c08bf779cb66267c3f6baa0dd43d6a8591f548dbcda5a1c9fce2d2
Third attack—borrowed 1.492946 LBTC: 0xc02cea219b2748ccb8e28b2b23c14d7f6d3d144724ba1b9e17adbf07e70e51a3
All paths lead to the Across protocol, where the attacker brought 38 ETH to Base to fund this operation, exchanged the borrowed LBTC through Aerodrome DEX, and left with 163.65 ETH, netting about $125,000.
This operation is a textbook example of DeFi arbitrage: depositing illiquid derivatives as collateral, borrowing liquid assets, transferring profits across chains, and then abandoning the loan. The protocol side is left with worthless "scraps," while the real funds vanish without a trace.
This wallet still has a small amount of funds left—1.5 ETH on Arbitrum and 0.5 ETH on Base.
The debt tokens were not transferred, and the collateral remained intact. This loan will never be repaid. For ten months, ZeroLend pretended that none of this ever happened. It’s worth noting that just 18 days before this attack, a similar script had already caused a larger tragedy and made headlines. If the lesson of Ionic Money losing $8.8 million was widely disseminated across every security platform in DeFi, how could ZeroLend have missed this news?
A Familiar Incident in 18 Days
According to research by QuillAudits, as of February 4, 2025, Ionic Money on the Mode Network lost $8.8 million.
This attack garnered widespread attention in the DeFi security space, with a variety of LBTC tokens stolen. Logically, all protocols running LBTC derivatives should have remained highly vigilant.
The attack method was extremely simple: the attacker impersonated a member of the Lombard Finance team, convincing Ionic to launch a fake LBTC token, minting 250 counterfeit tokens and borrowing all the funds within the protocol. A social engineering attack disguised as a smart contract. The attacker didn’t need to find a vulnerability—they just needed someone to answer the phone.
Eighteen days later, ZeroLend's market on the Base chain also fell victim to a similar attack. The same asset class, the same collateral manipulation method, in the same month.
The attacker of Ionic used a completely counterfeit LBTC token as collateral; the attacker of ZeroLend used PT-LBTC (a Pendle derivative)—different packaging, but the same manipulation method. Ionic lost about $8.8 million, while ZeroLend lost a total of about $371,000. Ionic at least released a post-mortem analysis on the matter, but ZeroLend published nothing.
ZeroLend is not some obscure fork project unknown to anyone. Lombard Finance had announced that when LBTC launched on Base in November 2024, ZeroLend would be a launch partner: "When LBTC launches, it will run on the major DeFi protocols on Base, including Pendle, Aerodrome, ZeroLend, and Morpho."
As a front-row spectator of the LBTC ecosystem, it meant they could witness Ionic's collapse firsthand. The attack script was public, and warning signals were flashing. Yet, less than three weeks later, a nearly identical attack directly breached ZeroLend's doors.
Audit Medley
Moreover, ZeroLend's Twitter profile is practically a who's who of blockchain security: Chaos Labs, Zokyo, Halborn, PeckShield, Sherlock, Immunefi, and Cantina.
An impressive lineup, but no one among them is held accountable for what happened.
Mundus conducted a deployment check in 2023—verifying that ZeroLend had no backdoors; PeckShield audited its core protocol in February 2024, when the LBTC market had not yet emerged; Halborn's report covered the token contract of its stablecoin ONEZ, rather than the lending market; Zokyo's audit in November 2024 actually examined the Pendle PT integration code: ATokenPendlePT.sol and related contracts. No significant issues or high-risk problems were found.
Score: 70 points (out of 100). So, where did the problem lie?
The attack was not due to a code vulnerability. There were no reentrancy bugs, no overflow bugs, and no logical flaws waiting to be discovered. The attacker exploited a risk management decision: ZeroLend chose to list PT-LBTC as a borrowable collateral, while its oracle parameters could be manipulated.
Audits do not cover the question of "Should we list this asset?" nor would any security firm sign off on collateral factors and liquidation thresholds. That falls under corporate governance, and it is the team's responsibility. (Note: "Audit medley" does not imply that auditors failed to find vulnerabilities, but rather refers to a protocol piling up various labels to create the illusion of comprehensive coverage while making risk decisions that no audit ever intended to assess.)
Eighteen days after Ionic Money confirmed that LBTC derivatives were attacked, ZeroLend listed PT-LBTC as collateral on the Base platform. This decision was made not by auditors, but by internal personnel at ZeroLend.
Zombie Market
Vulnerabilities may eventually disappear, but zombie markets will continue to thrive.
Now, ten months after the attack, ZeroLend's LBTC market on the Base chain still accepts deposits. The "supply" button works fine. However, when attempting to withdraw, it suddenly displays "high utilization" and "please try again later."
Yet, "later" never comes.
In November 2025, a user recorded this experience: he deposited LBTC but could not withdraw, receiving three different explanations from Discord—"the liquidity pool is nearly exhausted, waiting for liquidity to return," "assets have been paused for trading for security reasons," and "frontend/UI issues, the development team has been notified." He requested a clear public status update from the official team but has yet to receive a response.
Shortly thereafter, on-chain data revealed something uglier than simple exploit consequences.
On January 13, 2026: a user deposited 0.000001 LBTC into the liquidity pool. Fourteen seconds later, this liquidity was transferred to a Gnosis Safe multi-signature wallet.
Gnosis Safe address: 0x0f2876396a71fe09a175d97f83744377be9b6363
Basescan shows that this wallet was created on April 27, 2025—two months after the exploit incident in February. Did someone see a compromised pool and set a trap?
This wallet uses Gelato, an automated trading relay service that allows smart contracts to execute when triggered.
The token transfer history on Basescan shows that over the past eight months, this address has executed dozens of withdrawal transactions from ZeroLend's LBTC pool, extracting over $100,000 in total. Currently, this address still provides funds to the pool and continues to siphon off any liquidity that appears.
Clearly, this is not a story of trapped victims desperately trying to escape. Instead, someone has built an automated theft system using the flawed but still operational liquidity pool left behind by ZeroLend. For addresses that opened months after the attack, every new depositor becomes a source of liquidity for withdrawals. Yet, ZeroLend remains indifferent to this.
The display of the annual percentage yield (APY) speaks volumes. ZeroLend's usage mechanism follows the mathematical principles of Aave V3—when nearly all deposited assets are borrowed and never returned, interest rates soar to alarming levels, and most users wouldn’t even think to check.
DefiLlama currently shows that ZeroLend's total value locked (TVL) on Base is about $100,000.
Meanwhile, the project's "vital signs" had stopped beating months ago.
GitHub activity tracking shows that ZeroLend has had no updates since September 2025. Developer metrics from Stack.money indicate that the protocol is at best in maintenance mode, and at worst has been abandoned.
The ZERO token also reflects the current financial situation. It has dropped 100% from its historical high in September 2024 and was delisted from OKX on June 4, 2025. CoinMarketCap data shows that 91% of the tokens are concentrated in the top ten wallet addresses—this distribution makes exit liquidity for everyone else extremely limited.
Silence reigns on Twitter. Users report that Discord administrators have not provided any clear information from the development team. The founder's LinkedIn page still states that he manages assets "over $200 million," while DefiLlama data shows that the total TVL across all chains has plummeted to about $10 million.
A protocol does not die instantly.
Its demise is phased: first, an unmentioned attack, then excuses to buy time, followed by developers stopping development, then exchanges delisting the token, and finally, the team's silence, which speaks volumes.
ZeroLend has gone through all these stages. The only thing that remains is the deposit button.
When a protocol leaves behind a compromised pool and is open long enough for someone to build an automated extraction business on it, who is the real operator?
Is Silence Also a Strategy?
Ionic Money lost $8.8 million and announced it to the world within hours. While unpleasant and painful, at least it was honest. It made users aware of their situation.
ZeroLend lost $371,000 but chose a different response strategy—using "high utilization" as an excuse for ten months while the deposit button continued to attract new victims.
The attack itself was almost unoriginal, and the methods were very clichéd. What is not boring is the subsequent development.
The project disclosed no information, no post-mortem analysis, and no governance plan for compensation. Only administrators on Discord provided cover, while an automated extraction operation methodically siphoned off any liquidity that appeared.
ZeroLend's $3 million seed funding came from companies like Momentum 6, Blockchain Founders Fund, and Morningstar Ventures. A founder with a degree from the University of Toronto and claims of managing $200 million in assets. All these elements constitute a legitimate operational factor, but once problems arise, there is a lack of accountability.
DeFi promises trustless finance—code is law, transparency is default, and accountability is woven into every block. ZeroLend, however, is the exact opposite: a silent bankruptcy, coupled with audit badges and "please try again later" prompts.
The hacker who emptied the treasury made off with $371,000. And what about the team that made it all happen? They are still collecting deposits (assuming this team still exists).
In a field that prides itself on complete transparency, when protocols discover they can fail quietly without facing any consequences, what will be the true cost?
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
