Reading 3 min Views 5 Published Updated
The Era Lend lending app on zkSync was used for $3.4 million worth of cryptocurrencies, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only re-entry attack” to drain funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after the malicious action is performed. In particular, a read-only re-entry does not update the state of the contract.
We are seeing reports that @Era_Lend has been exploited on zkSync
Total losses appear to be $3.4 million in a read only reentrancy attack
See more below https://t.co/h8xrjccE5i
— CertiK Alert (@CertiKAlert) July 25, 2023
According to the report, the attacker withdrew funds in two separate transactions using external account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. They relied on a vulnerability in the “callback function and _updateReserves” to manipulate the contract and report old values that had not yet been updated.
Era Lend is a fork of the Syncswap project, and CertiK stated that other projects based on Syncswap may also be vulnerable to the exploit.
Network sleuth and Twitter user Spreek reported that the Syncswap code allows the user to “write and then call back before calling update_reserves”, causing the oracle to report incorrect values.
in the syncswap LP tokens, one can burn, then callback before update_reserves is called. so the oracle uses an incorrect reserves value to calculate the price, resulting in an inflating oracle price. pic.twitter.com/0U7Vu7BzJM
— Spreek (@spreekaway) July 25, 2023
Spreek also reported that the Era Land team acknowledged the attack and suspended the zkSync protocol contracts to prevent further exploits.
Another blockchain researcher known on Twitter as Saul reported that the attack affected the USDC+ stablecoin issued by the Overnight Finance protocol. According to Saul, the Overnight team acknowledged the revelation and put their own contracts on hold as well. More than $261,000 may have been lost, or 7.86% of the total value of the collateral backing the stablecoin.
A June 7 blog post explaining how read-only reentry attacks are carried out, under the pseudonym of blockchain researcher Officer’s Notes, says that these vulnerabilities are difficult for auditors to detect because “normally auditors and bug hunters are only interested in entry points that change state when a reentry is sought.”
To address this issue, Officer’s Notes recommends that auditors use specialized software to help them find these vulnerabilities.
Era Lend runs on the zkSync network, a zero-knowledge level 2 Ethereum rollup. In April, the total value of the blocked network exceeded $110 million. The developers of the network intend to create an ecosystem of interoperable chains called “Hyperchains” by the end of the year.