ZkSync’s Largest Lender EraLend Suffered A $3.4M Attack

Key Points:

• EraLend, the leading lending protocol on Ethereum’s zkSync, suffers a $3.4 million read-only reentrancy attack.
• The attacker exploited a vulnerability in the smart contract code, using a faulty price oracle to repeatedly withdraw more funds than authorized.
• EraLend promptly suspends borrowing operations and advises users against depositing USDC while working with cybersecurity firms to address the security breach.

In a recent security breach, EraLend, the largest lending protocol operating on the Ethereum scaling blockchain zkSync, fell victim to a read-only reentrancy attack, resulting in a substantial loss of $3.4 million.

According to blockchain security firm CertiK, the attack exploited a vulnerability in EraLend’s smart contract code, allowing the attacker to withdraw more funds than authorized within a single transaction. As a result of the exploit, the total amount of locked capital on EraLend dropped from $18.5 million to $7.7 million, as reported by DefiLlama.

The vulnerability that the attacker took advantage of involved a read-only function, typically considered safe due to its inability to modify the contract’s state. These functions perform view actions, such as calculating token balances, without altering any data. However, the hacker manipulated this function through a reentrancy exploit, repeatedly calling it to drain assets from EraLend. The exploit focused on a faulty price oracle that EraLend relied on, ultimately allowing the attacker to siphon off significant funds from the protocol.

Era Lend addressed the incident promptly, suspending all borrowing operations and warning users against depositing USDC (USD Coin) until the issue is resolved. The team is actively working with cybersecurity firms and partners to investigate the attack and implement necessary security measures.

In the wake of the attack, Era Lend reassured its users that only the USDC pool was compromised, and the security of assets other than USDC remains intact. As a precautionary step, the platform temporarily halted borrowing operations to prevent further losses.

The attack on EraLend bears a resemblance to a similar incident that targeted the decentralized finance (DeFi) protocol Conic Finance the previous week, resulting in a total loss of $3.6 million. It highlights the need for increased security measures within the DeFi space as attackers continue to exploit vulnerabilities in smart contract code.

Despite the setback, EraLend remains committed to enhancing its security infrastructure to protect user funds and bolster the confidence of its community. As the DeFi ecosystem evolves, it is evident that constant vigilance and proactive security measures are essential to safeguarding users’ assets and the overall integrity of decentralized platforms.

DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.