ZkSync Lending Protocol EraLend Loses $3.4M in an Exploit

Share IT

Key takeaways:

  • A $3.4 million read-only reentrancy assault has been launched against EraLend.
  • EraLend immediately ceased all borrowing operations on their platform due to the security breach.

A $3.4 million read-only reentrancy assault has been launched against EraLend, the most prominent lending protocol on the Ethereum scaling network zkSync.

The lending industry was recently rattled by a security event where a devastating exploit for EraLend on ZkSync caused a loss of almost $3.4 million, according to a tweet from Beosin Alert.

Using a “read-only reentrancy attack” strategy, the attacker could manipulate the LP token’s price and drain a sizable amount of money from the platform. To be more precise, a “read-only” reentrancy doesn’t change the status of a contract. 

EraLend immediately ceased all borrowing operations on their platform due to the security breach. They cautioned customers against depositing USDC until the issue had been fixed as a precaution. In an effort to address the situation and stop any further dangers to user funds, the platform is actively working with cybersecurity companies and business partners. EraLend tweeted about the exploit to inform users:

“We’ve experienced a security incident on our platform today. The threat has been contained. We’ve suspended all borrowing operations for now and advise against depositing USDC. We’re working with partners and cybersecurity firms to address this. More updates to follow,”

The report claims the attacker used the externally held account to drain money in two separate transactions. The attacker used a flaw in “the callback and _updateReserves function” to trick a contract into reporting out-of-date values.

An active partner in EraLend’s investigation is the cybersecurity company Blocksec. The primary form of exploitation has been pinpointed as a read-only reentrancy attack, which is the underlying cause of the issue. Significant financial losses occurred due to this attack vector’s ability to grant unauthorized access to the LP token price.

Pseudonymous blockchain researcher Officer’s Notes articulated read-only reentrancy attacks in a blog post on June 7 and claimed that these vulnerabilities are complex for auditors to find because they are only interested in “entry points” that modify state when looking for reentrancy.

Officer’s Notes advises auditors to utilize specialized tools to help them uncover these vulnerabilities in order to help ease this issue.

Serious concerns regarding the security of user funds and the requirement for robust safety precautions inside the decentralized financial ecosystem have been raised in light of the security incident at EraLend on ZkSync. DeFi protocol Conic Finance suffered a comparable attack last week, with $3.26 million in overall damage.

Share IT
Deep
Deep

Can’t find what you’re looking for? Type below and hit enter!