Based on the report by CertiK, the lending app, Era Lend, has become the victim of a $3.4 million exploit. Later, the amount of cryptocurrency stolen was an estimated $2.76 million. It is speculated that the attacker resorted to the use of a read-only re-entrancy attack to drain these funds. This type of attack interrupts the multi-step process and then enables it to continue as soon as any malicious actions have been performed. Furthermore, a read-only re-entrancy does not update the state of a certain contract.
We are seeing reports that @Era_Lend has been exploited on zkSync
Total losses appear to be $3.4 million in a read only reentrancy attack
See more below 👇https://t.co/h8xrjccE5i
— CertiK Alert (@CertiKAlert) July 25, 2023
The report shared by the blockchain security firm highlights that the attacker drained these funds in two separate attacks via the use of an externally owned account. At the same time, the exploiter took advantage of the vulnerability in ‘’the callback and _updateReserves function’’ to manipulate a contract into reporting old values.
It was already reported that the Syncswap code enables a user to burn, then callback before update_reserves is called. This eventually causes the oracle to report incorrect values. Era Lend, therefore, acknowledged the attack and immediately suspended its zkSync contracts to prevent additional exploits.
A member of the Era Lend team released a statement on Twitter,
”We want to assure you that the attack has been contained, and the threat actor is no longer able to continue their actions. The scope of impact is currently being assessed and will be further announced.”
Era Lend Responds to the Attack
A blockchain investigator and a Twitter user, under the alias Saul, reported that the attack had greatly affected the stablecoin USDC+, which is issued by the Overnight Finance Protocol. Saul has also highlighted that the protocol has also acknowledged the malicious exposure and has halted its own contracts as well. It is speculated that approximately 7.86%, or $261,000, of the total value of the collateral backing the stablecoin, might have been lost in the recent exploit.
Following the attack, the team at Era Lend reassured its users that it was quick to identify the attack and take the necessary measures. Keeping that in mind, the platform managed to completely contain the attack, preventing the exploiter from continuing with illegal actions. It was clarified that only the USDC+ pool was compromised in the attack, while the security of assets other than that pool remains intact.
Furthermore, Era Lend advised its users not to deposit USDC tokens for the time being as a precautionary measure. All borrowing operations have also been suspended temporarily. No additional update has been given as of now, but it is expected that Era Lend would continue to update its users as the story begins to unfold.