Defi platform Era Lend exploited on zkSync, losses $3.4m in assets

CertiK, a leading blockchain security firm, has issued an urgent Skynet Alert after receiving multiple reports of the defi platform Era Lend falling victim to an exploitation on zkSync. 

Losses are currently estimated to be around $3.4 million.

Another hacking

CertiK, a blockchain security technology company that frequently tweets about vulnerabilities, hacks and exploits in the space, identifies the attack as a “read-only reentrancy attack,” strategically targeting the platform’s multi-step processes, allowing the malicious actor to drain the funds while leaving little to no trace.

By definition, a “read-only reentrancy attack” is a method used by hackers to disrupt the natural flow of transactions within a smart contract. The attacker interrupts a series of operations and then manipulates the contract to continue executing malicious actions without updating its state.

The report goes on to highlight that the attacker drained funds using two separate transactions from the account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a, in which they found a vulnerability in the callback and _updateReserves function that allowed them to manipulate a contract into reporting old values that had not yet been updated.

The Era Lend team promptly recognized the attack and took immediate action to safeguard their protocol’s zkSync contracts.

The platform then went on to release a statement on Discord that shared that only the USDC pool was compromised and, as a precautionary measure, users should refrain from depositing this asset for the time being.

Since Era Lend is a fork in the Syncswap project, which aims to bring easy-to-use decentralized finance (defi) and scales Ethereum (ETH) to the masses, Certik also suggests that other projects using Syncswap could be targets of the exploit.