Era Lend, a lending protocol operating on the Ethereum scaling blockchain zkSync, recently fell victim to a hacking incident. According to a post by blockchain security company BlockSEC, Era Lend incurred a substantial loss of $3.4 million.
We are assisting @Era_Lend to this issue, and the root cause has been identified. The total loss is ~$3.4M.
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:https://t.co/H4A2suVLai
— BlockSec (@BlockSecTeam) July 25, 2023
After the hack, Era Lends experienced a significant decrease in the total amount locked, which declined from $18.5 million to $10.75 million. The attacker employed a technique known as a “read-only reentrancy attack” to deplete the funds.
This type of attack disrupts a multi-step process and allows it to continue executing after carrying out a malicious action. To be specific, in a “read-only” reentrancy attack, the contract’s state remains unchanged.
According to the report, the attacker utilized the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a to drain funds through two transactions.
This was achieved by exploiting a vulnerability in “the callback and _updateReserves function,” enabling the manipulation of a contract into generating outdated values that had not yet been updated.
Era Lend addressed the hacking incident and confirmed its occurrence in her recent post. She provided a series of statements to elaborate further.
Today, our platform experienced a security breach. However, we have successfully contained the threat and taken immediate action. As a precautionary measure, we have temporarily suspended all borrowing activities and caution against depositing USDC.
Rest assured, We are collaborating with trusted partners and cybersecurity firms to swiftly resolve this situation. It is worth noting that Conic Finance, the DeFi protocol, suffered a recent hack resulting in the theft of over $3.2 million worth of 1700 Ethereum (ETH).
🚨Security Update: We've experienced a security incident on our platform today. The threat has been contained. We've suspended all borrowing operations for now and advise against depositing USDC. We're working with partners and cybersecurity firms to address this.
— EraLend | The #1 Money Market on zkSync🥇 (@Era_Lend) July 25, 2023
Exploit Concerns: Era Lend & USDC+ Attack
Era Lend, a derivative of the Syncswap project, has raised concerns as CertiK suggests that similar projects relying on Syncswap might also be susceptible to the exploit.
A blockchain investigator, Saul, on Twitter, reported an attack on stablecoin USDC+. The Overnight Finance protocol issues this particular stablecoin. Saul mentioned that the Overnight team had acknowledged the breach and temporarily halted its contracts.
It’s estimated that over $261,000, which accounts for 7.86% of the total value of the collateral supporting the stablecoin, may have been lost.
Moreover, Era Lend operates on the zkSync network, an Ethereum layer-2 rollup that utilizes zero-knowledge proofs. As of April, the total value locked in this network surpassed $110 million.
The developers of the network have set a goal to establish an ecosystem of interconnected chains known as “Hyperchains” by the end of this year.
Related Reading | DOGE To Join “X” App As Elon Musk’s Crypto Of Choice
Furthermore, Officer’s Notes suggests that auditors utilize specialized software to aid in identifying and addressing these vulnerabilities. This will help alleviate this issue.