On the 25th of July, EraLend was hit by a reentrancy attack that allowed an unknown bad actor to make off with about $3.4 million worth of crypto.
A reentrancy attack, a type of cyberattack affecting smart contracts, is one of the most common exploits against DeFi protocols.
In it, a bad actor identifies a security vulnerability in a smart contract’s code in order to repeatedly call a function within the contract before the completion of a previous function call. When executed (im)properly, these function calls can manipulate the price of tokens within the smart contract, allowing the attacker to withdraw far more from the protocol than should be possible.
Lack of Oracles Exploited
EraLend, an allegedly (according to their own website) low-risk zkSync decentralized lending protocol formerly known as Nexon Finance, eschewed the use of oracles, claiming that this made them less risky.
“Our lending platform is less risky because it does not depend on oracle and liquidation (external liquidity).”
Unfortunately for them – or rather, for their unfortunate users – their marketing was put to the test and found wanting.
Since the attack, which targeted the platform’s USDC stash, all borrowing operations have been suspended. Furthermore, the EraLend devs advised their community against depositing USDC on the platform until the issue is addressed.
🚨Security Update: We’ve experienced a security incident on our platform today. The threat has been contained. We’ve suspended all borrowing operations for now and advise against depositing USDC. We’re working with partners and cybersecurity firms to address this.
More updates…— EraLend | The #1 Money Market on zkSync🥇 (@Era_Lend) July 25, 2023
Cybersecurity Firms on The Case
In order to help EraLend devs get their platform back in order – and maybe even uncover the identity of the person behind the attack – several cybersecurity firms and other partners have been in contact. BlockSec has confirmed its involvement with the post-mortem of the attack.
We are assisting @Era_Lend to this issue, and the root cause has been identified. The total loss is ~$3.4M.
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:https://t.co/H4A2suVLai
Attacker address:
0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a https://t.co/InhCCW7QAy— BlockSec (@BlockSecTeam) July 25, 2023
The exploit was originally announced by cybersecurity researchers Spreek and Saul. It’s still unconfirmed if the total loss of value stopped at $3.4 million.
“Apparently likely cause is read-only reentrancy affecting the LP token pricing. not sure about the size of the hack, might be much larger. still trying to figure out this rug block explorer rip.”
Although the amount stolen pales in comparison to hacks like those affecting the Ronin or Harmony, every bit of swiped crypto adds up.
Last year the total amount of value stolen from crypto investors broke the $10 billion barrier once investment scams, outright fraud, and other malicious schemes were taken into account. Today’s attack serves as yet another reminder to do your own research before investing your hard-earned money into any platform.
Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).
PrimeXBT Special Offer: Use this link to register & enter CRYPTOPOTATO50 code to receive up to $7,000 on your deposits.