Tuesday, October 3, 2023
Home News Blockchain Era Lend on zkSync exploited for $3.4M in reentrancy attack

Era Lend on zkSync exploited for $3.4M in reentrancy attack


The lending app was drained of funds using a “read-only reentrancy” bug, a type of vulnerability that is often difficult for auditors to spot.


Join us on social networks

Lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only reentrancy attack” to drain the funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a “read-only” reentrancy is one that does not update the state of a contract.


We are seeing reports that @Era_Lend has been exploited on zkSync

Total losses appear to be $3.4 million in a read only reentrancy attack

See more below https://t.co/h8xrjccE5i

— CertiK Alert (@CertiKAlert)

July 25, 2023

According to the report, the attacker drained funds in two separate transactions using the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. The attacker relied on a vulnerability in “the callback and _updateReserves function” to manipulate a contract into reporting old values that had not yet been updated.

Era Lend is a fork of the Syncswap project, and CertiK claimed that other projects based on Syncswap may also be vulnerable to the exploit.

On-chain sleuth and Twitter user Spreek reported that the Syncswap code allows a user to “burn, then callback before update_reserves is called,” causing the oracle to report incorrect values.

in the syncswap LP tokens, one can burn, then callback before update_reserves is called. so the oracle uses an incorrect reserves value to calculate the price, resulting in an inflating oracle price. pic.twitter.com/0U7Vu7BzJM

— Spreek (@spreekaway)

July 25, 2023

Spreek also reported that the Era Lend team had acknowledged the attack and paused the protocol’s zkSync contracts to prevent further exploits.

Another blockchain investigator, known on Twitter as Saul, reported that the attack had affected stablecoin USDC+, which is issued by the Overnight Finance protocol. According to Saul, the Overnight team has acknowledged the exposure and has paused its own contracts as well. Over $261,000, or 7.86% of the total value of the collateral backing the stablecoin, may have been lost.

In a June 7 blog post explaining how read-only reentrancy attacks are carried out, pseudonymous blockchain investigator Officer’s Notes stated that these vulnerabilities are difficult for auditors to spot, since “Typically, auditors and bug hunters are only concerned with entry points that modify state when looking for reentrancy.”

To help alleviate this problem, Officer’s Notes recommends that auditors use specialized software to aid them in finding these vulnerabilities.

Era Lend runs on the zkSync network, a zero-knowledge proof Ethereum layer-2 rollup. In April, the network’s total value locked reached over $110 million. The network’s developers intend to create an ecosystem of interoperable chains called “Hyperchains” by the end of the year.

Collect this article as an NFT to preserve this moment in history and show your support for independent journalism in the crypto space.


Post Disclaimer

The information provided in our posts or blogs are for educational and informative purposes only. We do not guarantee the accuracy, completeness or suitability of the information. We do not provide financial or investment advice. Readers should always seek professional advice before making any financial or investment decisions based on the information provided in our content. We will not be held responsible for any losses, damages or consequences that may arise from relying on the information provided in our content.


Please enter your comment!
Please enter your name here