Lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only reentrancy attack” to drain the funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a “read-only” reentrancy is one that does not update the state of a contract.
The report reveals that the attacker drained funds in two separate transactions, using the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. They exploited a vulnerability in the “the callback and _updateReserves function” to manipulate a contract into reporting old values that had not yet been updated.
Era Lend is a fork of the Syncswap project, and CertiK has warned that other projects based on Syncswap may also be vulnerable to the exploit. This incident highlights the importance of conducting thorough security audits and implementing robust security measures in decentralized finance (DeFi) platforms.
The vulnerability in the Syncswap code allows a user to “burn, then callback before update_reserves is called,” causing the oracle to report incorrect values. This flaw is particularly challenging for auditors to detect since they typically focus on entry points that modify state. Pseudonymous blockchain investigator Officer’s Notes explained in a June 7 blog post that read-only reentrancy attacks are difficult to spot and emphasized the need for auditors to use specialized software to identify these vulnerabilities.
In response to the attack, Era Lend’s team acknowledged the incident and took immediate action by pausing the protocol’s zkSync contracts to prevent further exploitation. Similarly, the Overnight Finance protocol, which issues stablecoin USDC+, has also paused its contracts due to the vulnerability. Saul, a blockchain investigator, reported that over $261,000, accounting for 7.86% of the collateral backing the stablecoin, may have been lost.
Era Lend operates on the zkSync network, an Ethereum layer-2 rollup that utilizes zero-knowledge proofs. The network has seen significant growth, with its total value locked reaching over $110 million in April. The developers behind zkSync plan to launch an ecosystem of interoperable chains, known as “Hyperchains,” by the end of the year.
This incident serves as a reminder of the ongoing security challenges faced by the DeFi industry. As the sector continues to expand, it is crucial for developers, auditors, and users to remain vigilant and prioritize security measures to protect against potential vulnerabilities and attacks.