Era Lend on zkSync Exploited for $3.4 Million in Reentrancy Attack
The lending application was drained of funds using a "read-only reentrancy" bug, a type of vulnerability that is often difficult for auditors to spot.
News Join us on social networksThe Era Lend lending app on zkSync has been mined for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a "read-only reentrancy attack" to drain funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a "read-only" reentrancy is one that does not update the state of a contract.
#CertiKSkynetAlert
We see reports that @Era_Lend has been exploited on zkSync
Total losses appear to be $3.4 million in a read-only reentrancy attack
See more below https://t.co/h8xrjccE5i
— CertiK Alert (@CertiKAlert) July 25, 2023According to the report, the attacker drained funds in two separate transactions using the external account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. The attacker leveraged a vulnerability in the "callback function and _updateReserves" to manipulate a contract to report old values that had not yet been updated.
Era Lend is a fork of the Syncswap project, and CertiK has claimed that other Syncswap-based projects may also be vulnerable to the exploit.
Chain sleuth and Twitter user Spreek reported that the Syncswap code allows a user to "burn, then call again before update_reserves is called", causing the oracle to report incorrect values.
in syncswap LP tokens, one can burn and then recall before update_reserves is called. so the oracle uses an incorrect reserve value to calculate the price, which causes the oracle price to inflate. pic.twitter.com/0U7Vu7BzJM
— Spreek (@spreekaway)The lending application was drained of funds using a "read-only reentrancy" bug, a type of vulnerability that is often difficult for auditors to spot.
News Join us on social networksThe Era Lend lending app on zkSync has been mined for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a "read-only reentrancy attack" to drain funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a "read-only" reentrancy is one that does not update the state of a contract.
#CertiKSkynetAlert
We see reports that @Era_Lend has been exploited on zkSync
Total losses appear to be $3.4 million in a read-only reentrancy attack
See more below https://t.co/h8xrjccE5i
— CertiK Alert (@CertiKAlert) July 25, 2023According to the report, the attacker drained funds in two separate transactions using the external account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. The attacker leveraged a vulnerability in the "callback function and _updateReserves" to manipulate a contract to report old values that had not yet been updated.
Era Lend is a fork of the Syncswap project, and CertiK has claimed that other Syncswap-based projects may also be vulnerable to the exploit.
Chain sleuth and Twitter user Spreek reported that the Syncswap code allows a user to "burn, then call again before update_reserves is called", causing the oracle to report incorrect values.
in syncswap LP tokens, one can burn and then recall before update_reserves is called. so the oracle uses an incorrect reserve value to calculate the price, which causes the oracle price to inflate. pic.twitter.com/0U7Vu7BzJM
— Spreek (@spreekaway)What's Your Reaction?