Era Lend, a decentralized lending protocol operating on the zkSync Layer 2 network, has fallen victim to a ‘read-only reentrancy attack’ resulting in a loss of $3.4 million, according to a report by Blockchain security firm BlockSec.
The attacker exploited a vulnerability that allowed repeated calls to a function within a single transaction, withdrawing more funds than they were entitled to. This type of attack disrupts a multi-step process, allowing it to execute the same process multiple times after carrying out a malicious action.
The attacker depleted funds in two distinct transactions, utilizing an externally owned account. The exploit involved manipulating a contract to report outdated values that hadn’t been updated yet. The attack had repercussions on the stablecoin USDC+, issued by the Overnight Finance protocol, resulting in a potential loss of over $261,000, which represents 7.86% of the total value of the collateral supporting the stablecoin.
Era Lend’s response and precautionary measures
In response to the attack, Era Lend took swift action by pausing the protocol’s zkSync contracts to prevent further exploits. The team confirmed the cyber attack on their platform and assured that the attack had been contained, and the threat actor could no longer continue their actions. The team advised users to refrain from depositing USDC for the time being, and borrowing operations on the platform have been temporarily halted.
Era Lend is a fork of the Syncswap project, and the security firm CertiK warned that other projects based on Syncswap might also be susceptible to this exploit. The Overnight team acknowledged the vulnerability and acted promptly by pausing their own contracts too.
Era Lend operates on the zkSync network, an Ethereum layer-2 rollup utilizing zero-knowledge proofs. In April, the total value locked in the zkSync network surpassed $110 million. The network’s developers have ambitious plans to establish an ecosystem of interoperable chains named “Hyperchains” by December 2023.