How Does Zest Work?

Lending|Risk C+|6 mechanisms|5 interactions

Zest is the largest DeFi lending protocol on Stacks, bringing lending and borrowing capabilities to the Bitcoin ecosystem. You can deposit STX, sBTC, stablecoins, and other assets to earn yield, or borrow against your holdings. Zest is also building BTCz, a yield-bearing Bitcoin restaking product built on Babylon. The protocol has raised $3.5M from Draper Associates and YZi Labs, uses Pyth oracle for pricing, and has an ImmuneFi bug bounty program. However, it was exploited for $897K on its launch day, which the team reimbursed from treasury.

TVL

$83M

Sector

Lending

Risk Grade

C+

Value Grade

C-

Core Mechanisms

Lending/Pool-Based

Stacks Market: lending and borrowing pools for STX, sBTC, stSTX, USDC, and other Stacks assets

Standard pool-based lending with variable interest rates based on utilization. Users supply assets to earn yield from borrowers. The Stacks Market is the primary live product with $65M+ in deposits.

Lending/Bitcoin-Native

Novel

Bitcoin Market: planned lending against BTC and Bitcoin-backed assets (not yet live)

The Bitcoin Market will enable lending and borrowing against native BTC through Stacks' sBTC bridge. This is a novel product that brings lending to Bitcoin without wrapping tokens on EVM chains.

Staking/Liquid-Restaking

Novel

BTCz: tokenized yield-bearing staked BTC built on Babylon and secured by Stacks smart contracts

BTCz represents staked BTC through Babylon's restaking protocol, with Stacks smart contracts managing the tokenization. Combines Bitcoin restaking with Stacks-based DeFi composability.

Oracle/Price-Feed

Pyth Network oracle integration for asset pricing on Stacks

Zest uses Pyth oracle network for price feeds that drive liquidation triggers and collateral valuations. Pyth on Stacks is newer than on EVM chains.

Risk-Management/Liquidation

Automated liquidation with collateral ratio monitoring on Stacks

Standard liquidation mechanism that allows liquidators to repay under-collateralized positions. The Stacks blockchain's ~10-second block times affect liquidation speed relative to faster chains.

Incentive/Points

Points program rewarding deposits and borrowing activity for future token airdrop

Ongoing points campaign where users earn points for supplying and borrowing. Points are expected to convert to a ZEST governance token via airdrop, though no token has launched yet.

How the Pieces Interact

Collateral value manipulation (day-1 exploit)Lending pool solvencyHigh

The launch-day exploit demonstrated that Zest's collateral valuation logic was vulnerable to manipulation. While patched, this revealed potential for similar manipulation vectors in the codebase that may not yet be discovered.

Clarity smart contracts on StacksSecurity auditor availabilityHigh

Clarity is a decidable language with formal verification potential, but the pool of experienced Clarity auditors is much smaller than for Solidity. Critical bugs may go undiscovered due to limited security researcher attention.

Pyth oracle on StacksLiquidation timingMedium

Pyth oracle integration on Stacks is newer and less battle-tested than on EVM. Combined with Stacks' slower block times, oracle latency could create windows where liquidations are delayed or manipulated.

BTCz liquid restakingBabylon dependencyMedium

BTCz depends on both Babylon's restaking protocol and Stacks' sBTC bridge, creating a chain of dependencies. A failure in either Babylon or sBTC could leave BTCz holders unable to redeem their underlying BTC.

Points program / future tokenMercenary capitalMedium

Points-driven deposits may flee once the airdrop occurs, causing a sharp TVL drop. Protocol health metrics during the points program may not reflect sustainable long-term adoption.

What Could Go Wrong

  1. Zest was exploited on its public launch day for 324,000 STX (~$897K) through a collateral value manipulation attack, demonstrating insufficient pre-launch security testing
  2. Built on Stacks using Clarity smart contracts — a less mature and less audited language than Solidity — with a smaller security researcher community to identify bugs
  3. The BTCz liquid restaking product introduces novel Bitcoin-native DeFi risks with limited precedent for the Clarity/Stacks architecture

Second Exploit in Clarity Smart Contracts

Moderate

Trigger: An attacker discovers another vulnerability in Zest's Clarity smart contracts — potentially in the patched collateral valuation logic or in the newer BTCz/sBTC integration — enabling fund theft

  1. 1.Attacker discovers and exploits a vulnerability in Zest's lending contracts or BTCz integration Lending pool funds partially or fully drained; protocol freezes operations
  2. 2.Second exploit destroys confidence in Zest's security, especially given the launch-day exploit precedent Users lose trust; remaining depositors withdraw all funds once protocol unfreezes
  3. 3.Points program participants exit; expected ZEST token value collapses before launch Protocol has insufficient incentives to attract new deposits; TVL drops toward zero
  4. 4.Stacks DeFi ecosystem confidence shaken as the largest Stacks protocol suffers a second exploit Capital flight from Stacks DeFi; other Stacks protocols face indirect TVL losses
See all 2 collapse scenarios in the full risk report →

Risk Profile at a Glance

Mechanism Novelty6/15
Interaction Severity8/20
Oracle Surface4/10
Documentation Gaps3/10
Track Record8/15
Scale Exposure3/10
Regulatory Risk5/10
Vitality Risk3/10
C+

Overall: C+ (40/100)

Lower score = safer

More on Zest

Is Zest Safe?

Safety analysis

Is Zest a Good Investment?

Value analysis

Full Risk Report

All mechanisms & interactions

Related Lending Explainers

How Does Tapioca Work?D+How Does Abracadabra Work?D+How Does Radiant Capital Work?D+How Does YieldBlox Work?D+How Does Aave V3 Work?C-