ZkSync Lending Protocol EraLend Loses $3.4M in an Exploit

Key takeaways:

• A $3.4 million read-only reentrancy assault has been launched against EraLend.
• EraLend immediately ceased all borrowing operations on their platform due to the security breach.

A $3.4 million read-only reentrancy assault has been launched against EraLend, the most prominent lending protocol on the Ethereum scaling network zkSync.

The lending industry was recently rattled by a security event where a devastating exploit for EraLend on ZkSync caused a loss of almost $3.4 million, according to a tweet from Beosin Alert.

Eralend on #zkSync was attacked with a loss of $3.4M.

The root cause was an inconsistency between the calculated borrow value and liquidate value. The amount borrowed was higher than the amount repaid, allowing the attacker to profit after borrowing and liquidation.

The… https://t.co/cpPcHcKM6r pic.twitter.com/LnRMX0eueV

— Beosin Alert (@BeosinAlert) July 25, 2023

Using a “read-only reentrancy attack” strategy, the attacker could manipulate the LP token’s price and drain a sizable amount of money from the platform. To be more precise, a “read-only” reentrancy doesn’t change the status of a contract. 

EraLend immediately ceased all borrowing operations on their platform due to the security breach. They cautioned customers against depositing USDC until the issue had been fixed as a precaution. In an effort to address the situation and stop any further dangers to user funds, the platform is actively working with cybersecurity companies and business partners. EraLend tweeted about the exploit to inform users:

“We’ve experienced a security incident on our platform today. The threat has been contained. We’ve suspended all borrowing operations for now and advise against depositing USDC. We’re working with partners and cybersecurity firms to address this. More updates to follow,”

The report claims the attacker used the externally held account to drain money in two separate transactions. The attacker used a flaw in “the callback and _updateReserves function” to trick a contract into reporting out-of-date values.

An active partner in EraLend’s investigation is the cybersecurity company Blocksec. The primary form of exploitation has been pinpointed as a read-only reentrancy attack, which is the underlying cause of the issue. Significant financial losses occurred due to this attack vector’s ability to grant unauthorized access to the LP token price.

We are assisting @Era_Lend to this issue, and the root cause has been identified. The total loss is ~$3.4M.
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:https://t.co/H4A2suVLai
Attacker address:
0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a https://t.co/InhCCW7QAy

— BlockSec (@BlockSecTeam) July 25, 2023

Pseudonymous blockchain researcher Officer’s Notes articulated read-only reentrancy attacks in a blog post on June 7 and claimed that these vulnerabilities are complex for auditors to find because they are only interested in “entry points” that modify state when looking for reentrancy.

Officer’s Notes advises auditors to utilize specialized tools to help them uncover these vulnerabilities in order to help ease this issue.

Serious concerns regarding the security of user funds and the requirement for robust safety precautions inside the decentralized financial ecosystem have been raised in light of the security incident at EraLend on ZkSync. DeFi protocol Conic Finance suffered a comparable attack last week, with $3.26 million in overall damage.