- On-chain analysts have recorded suspicious activity on the Era Lend platform. Later, the administration confirmed the hack.
- An attacker exploited a “reentry” vulnerability to manipulate the LP rate. The exact amount of damage is unknown, the approximate amount is $3.4 million.
The largest landing protocol on the zkSync blockchain called Era Lend hacked. The probable damage is $3.4 million.
According to the Certik analytical agency, the hacker used the “re-entry” vulnerability to influence the price of the LP token. We described this exploit in detail in the article about hacking the DeFi protocol of Conic Finance.
Abnormal activity on the platform also discovered anonymous expert under the pseudonym spreekaway. Judging by his data, the hacker first withdrew $1.7 million in USDC, then another $1 million, and then the rest of the amount.
Note that the exact damage is still unknown. The administration of Era Lend confirmed the hack and noted that it was blocked, but also warned users do not yet deposit funds to the site:
“Today [24 июля 2023 года] there was a security incident on our platform. The threat has been localized. For now, we have suspended all lending operations and advise you not to place USDC. We are working with cybersecurity experts and companies as part of the investigation.”
Based on a screenshot of a corporate email from spreekaway, the hack only affected the USDC pool:
The total amount of capital blocked on the platform decreased from $18.5 million to $10.75 million, according to DeFiLlama. With this in mind, the probable damage from the actions of intruders can be much greater than recorded at the time of writing.