Lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only reentrancy attack” to drain the funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a “read-only” reentrancy is one that does not update the state of a contract.
#CertiKSkynetAlertWe are seeing reports that @Era_Lend has been exploited on zkSyncTotal losses appear to be $3.4 million in a read only reentrancy attackSee more below https://t.co/h8xrjccE5i
According to the report, the attacker drained funds in two separate transactions, using the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. They relied on a vulnerability in the “the callback and _updateReserves function” to manipulate a contract into reporting old values that had not yet been updated.
Era Lend is a fork of the Syncswap project, and CertiK claimed that other projects based on Syncswap may also be vulnerable to the exploit.
On-chain sleuth and Twitter user Spreek reported that the Syncswap code allows a user to “burn, then callback before update_reserves is called,” causing the oracle to report incorrect values.
in the syncswap LP tokens, one can burn, then callback before update_reserves is called. so the oracle uses an incorrect reserves value to calculate the price, resulting in an inflating oracle price. pic.twitter.com/0U7Vu7BzJM
Spreek also reported that the Era Lend team had acknowledged the attack and paused the protocol’s zkSync contracts to prevent further exploits.
Another blockchain investigator, known on Twitter as Saul, reported that the attack
Read more on cointelegraph.com