Vitalik praises Railgun for stopping hackers from laundering money

Railgun successfully prevented the ZKlend attacker from laundering money. In the past, similar platforms have been targeted by the authorities because they can aid money laundering.

In the latest article Vitalik Buterin, the founder of Ethereum, praised Railgun for successfully preventing ZKlend hackers from laundering money. This shows how an on-chain security system can work effectively without the need for monitoring mechanisms.

The event is especially important given that many security projects in crypto are struggling in the face of tightening pressure from regulators. In recent years, anonymous platforms such as Tornado Cash and Bitcoin Fog have been targeted by the authorities for being seen as tools to aid money laundering.

vitalik.eth

@VitalikButerin

·Follow

This is a solid demonstration of Railgun's privacy pools mechanism ( papers.ssrn.com/sol3/papers.cf… ) working in practice, allowing Railgun to avoid serving proceeds of crime without using any snooping / backdoors. How it works: * Anyone can deposit into Railgun. * After you deposit,

Vladimir S. | Officer's Notes

@officer_cia

Eventually, @zkLend has suffered a $9.5M exploit on the Starknet network. Stolen funds were bridged to Ethereum and laundered via Railgun, but due to protocol policies, the funds were returned to the original address by Railgun!

11:09 AM · Feb 13, 2025

2.8K

Read 572 replies

On February 12, hackers exploited a “number rounding” bug on zKlend, the Starknet lending protocol, and withdrew more than 3,600 ETH, worth about $9.5 million.

He repeatedly sent and withdrew WSTeth to manipulate the borrowing rate mechanism, faking the balance and withdrawing money to the Ethereum mainnet. The hacker then transferred the property to Railgun to hide the traces.

However, Railgun's control system blocked the transaction, forcing hackers to keep the money in the wallet instead of legitimizing it through the privacy pool.

How Hackers Manipulated ZKLend's Smart Contract to Capture Money Source: @officer_cia

As soon as the incident was discovered, the ZKLend team quickly stepped in, working with parties such as StarkWare Ltd, Starknet Foundation, zeroshadow.io (formerly Chainalysis Incident Response), and Binance Security Team to trace the identity of the hacker.

The project even contacted the hacker directly, offering him to refund most of the money and keep 10% as a reward. However, so far hackers have not accepted the offer and the money is now in wallets marked on blockchain scanners.

The cost of smuggling this money can exceed 90% of the total amount of money seized, which hackers should return to avoid being tracked.

Vladimir said as well as sent a message to the hacker

After the wallet address was flagged, hackers either used Tornado Cash (still active) or fake KYC to launder money through centralized exchanges (CEX). However, with this wallet address already flagged across the entire ecosystem, the likelihood of successful money laundering is very low.

How Railgun Works. Source: Railgun Docs

Railgun is a security protocol on Ethereum that uses zero-knowledge proof and liquidity pools to hide transaction information, from sender and recipient to the amount.

However, unlike traditional money mixing services, Railgun implements a system of “Private Proofs of Innocence” to prevent illegal money from entering the privacy pool.

When users send tokens to Railgun, the system automatically checks the list of marked addresses. If property of suspicious origin is detected, such funds will be blocked and can only be withdrawn to the original address. This is exactly what happened when the ZKlend hacker laundered money through the platform.

Railgun has given itself more than $2.6 billion in trading volume since its launch. Source: @railgun_project

The event also raised questions about the line between on-chain security and fighting financial crime. While privacy can help hackers hide cash flows, platforms like Railgun are seeking to create a balanced model where legitimate transactions remain protected without aiding illegal activity.

Buterin has long been interested in the possibility of developing compliant security tools. In 2023, he co-authored research on “Privacy Pools,” proposing a security model that could screen suspicious addresses without compromising the privacy of legitimate users.