The lending app was drained of funds using a “read-only reentrancy” bug, a type of vulnerability that is often difficult for auditors to spot.
Lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only reentrancy attack” to drain the funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a “read-only” reentrancy is one that does not update the state of a contract.
We are seeing reports that @Era_Lend has been exploited on zkSync
Total losses appear to be $3.4 million in a read only reentrancy attack
See more below https://t.co/h8xrjccE5i
— CertiK Alert (@CertiKAlert) July 25, 2023
According to the report, the attacker drained funds in two separate transactions, using the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. They relied on a vulnerability in the “the callback and _updateReserves function” to manipulate a contract into reporting old values that had not yet been updated.
Era Lend is a fork of the Syncswap project, and CertiK claimed that other projects based on Syncswap may also be vulnerable to the exploit.
On-chain sleuth and Twitter user Spreek reported that the Syncswap code allows a user to “burn, then callback before update_reserves is called,” causing the oracle to report incorrect values.
in the syncswap LP tokens, one can burn, then callback before update_reserves is called. so the oracle uses an incorrect reserves value to calculate the price, resulting in an inflating oracle price. pic.twitter.com/0U7Vu7BzJM
— Spreek (@spreekaway) July 25, 2023
Spreek also reported that the Era Lend team had acknowledged the attack and paused the protocol’s zkSync contracts to prevent further exploits.
Another blockchain investigator, known on Twitter as Saul, reported that the attack had affected stablecoin USDC+, which is issued by the Overnight Finance protocol. According to Saul, the Overnight team has acknowledged the exposure and has paused its own contracts as well. Over $261,000, or 7.86% of the total worth of the collateral backing the stablecoin, may have been lost.
In a June 7 blog post explaining how read-only reentrancy attacks are carried out, pseudonymous blockchain investigator Officer’s Notes stated that these vulnerabilities are difficult for auditors to spot, since “Typically, auditors and bug hunters are only concerned with entry points that modify state when looking for reentrancy.”
To help alleviate this problem, Officer’s Notes recommends that auditors use specialized software to aid them in finding these vulnerabilities.
Era Lend runs on the zkSync network, a zero-knowledge proof Ethereum layer-2 rollup. In April, the network’s total value locked reached over $110 million. The network’s developers intend to create an ecosystem of interoperable chains called “Hyperchains” by the end of the year.