Era Lend on zkSync Exploited for $3.4 Million in Crypto
According to a report from CertiK, the lending app Era Lend on zkSync has been exploited, resulting in the loss of $3.4 million worth of cryptocurrency. The attacker used a “read-only reentrancy attack” to drain the funds. Here are the key points:
– The attacker drained funds in two separate transactions using the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a.
– The vulnerability was found in the “callback and _updateReserves function,” which allowed the attacker to manipulate a contract into reporting old values.
– Era Lend is a fork of the Syncswap project, and other projects based on Syncswap may also be vulnerable to the exploit.
– The Era Lend team has acknowledged the attack and paused the protocol’s zkSync contracts to prevent further exploits.
– The stablecoin USDC+, issued by the Overnight Finance protocol, was also affected by the attack, with a potential loss of over $261,000.
This attack highlights the difficulty in detecting read-only reentrancy vulnerabilities. Auditors and bug hunters typically focus on entry points that modify state, making these vulnerabilities hard to spot. To address this, auditors should use specialized software. Era Lend operates on the zkSync network, which plans to create an ecosystem of interoperable chains called “Hyperchains.”
Hot Take:
The exploit of Era Lend on zkSync demonstrates the ongoing challenges of securing decentralized finance platforms. As the popularity of crypto lending and layer-2 solutions grows, it is imperative for developers and auditors to remain vigilant in identifying and addressing potential vulnerabilities. The incident serves as a reminder that even seemingly secure protocols can be susceptible to attacks, emphasizing the need for continuous improvement in security measures.
By
By
By
By
By