- EraLend is the latest DeFi victim of a read-only re-entrancy attack.
- The zkSync-based lending protocol lost $3.4 million to the hack.
EraLend, a crypto lending protocol native to the buzzy zkSync blockchain, suffered a malicious exploit on July 25, leading to estimated losses of $3.4 million in USDC and a 50% decline in investor deposits.
Blockchain security firm BlockSec said the exploit was a read-only re-entrancy attack, a difficult-to-detect attack vector especially for projects with a lot of smart contracts.
The EraLend exploiter targeted a vulnerability in the project’s smart contract that controls “token burn” and “mint” functions used for lending and borrowing on the protocol.
The smart contract vulnerability is tied to a fellow zkSync-native protocol SyncSwap — the largest decentralised exchange on the blockchain with $81 million in investor deposits, or total value locked, according to DefiLlama data.
“The attacker manipulated the liquidity pool’s price in the burn/mint actions of SyncSwap, whose reserves are used to calculate the liquidity pool price,” BlockSec told DL News.
NOW READ: Conic Finance suffers $3m exploit in twist to ‘typical re-entrancy attack’
BlockSec shared a snippet of the vulnerable code and advised other projects to share the same code to be vigilant.
“Those who rely on SyncSwap to calculate the [liquidity pool] price are vulnerable,” the researcher said.
EraLend has confirmed the attack stating that it is assessing the scope and impact of it.
“We want to assure you that the attack has been contained, and the threat actor is no longer able to continue their actions,” an announcement on the protocol’s Discord server said.
The EraLend team stated that it has paused withdrawals on the protocol and urged users to not deposit funds until further notice.
NOW READ: Conic on its $4m loss in hacks: We ‘don’t blame the auditors’
“We are currently collaborating with cross-chain bridge partners and zkSync to prevent any further potential asset outflows,” the team said.
EraLend is the latest protocol to fall victim to a read-only re-entrancy attack with DeFi protocol Conic Finance losing $3 million to a similar attack on July 21.
Re-entrancy attacks rank high among DeFi attack vectors with some of the largest hacks in the sector attributed to in the past.
This includes the $60 million DAO hack of 2016.
Re-entrancy attacks are often paired with flash loans — crypto loans borrowed and repaid within a single transaction block — to syphon funds from DeFi protocols.
DeFi losses due to hacks, rug pulls and other malicious exploits have cooled this year compared to last year with $313 million stolen in the second quarter of 2023 as against $745 million from the same period last year.
To share tips or information about Ethereum security please contact me at osato@dlnews.com.