Era Lend, a decentralized lending protocol operating on zkSync Layer 2, become the latest victim of a reentrancy attack that resulted in a loss of $3.4 million, as confirmed by security analysts at BlockSec.
The attack exploited a read-only reentrancy vulnerability that allowed the hacker to make repeated calls to a function within a single transaction, withdrawing more funds than they were entitled to. Taking advantage of a faulty price oracle that Era Lend relied upon, the attacker used the reentrancy exploit to further drain assets from the protocol.
Typically, view functions labeled as read-only are considered safe, often lacking reentrancy protection since they don’t change the contract’s state. The term “read-only” indicates that the function merely performs a view action, such as calculating a token balance based on a third-party pool’s supply. In this incident, the third-party was another decentralized exchange called SyncSwap. However, as this case demonstrates, these functions can be manipulated to siphon off substantial funds.
“The attacker altered the LP’s price during the burn/mint actions of SyncSwap, using its reserves to determine the LP price [on Era Lend],” Lei Wu, co-founder and CTO of BlockSec, told The Block. “All projects that utilize the SyncSwap code should remain alert.”
Era Lend responds
“We have detected and confirmed a cyber attack on our platform. We want to assure you that the attack has been contained, and the threat actor can no longer continue their actions,” Era Lend said in a statement on Discord.
It clarified that only the USDC pool was compromised, while the security of assets other than USDC remains intact.
As a precautionary measure, the team advised users to refrain from depositing USDC for the time being. Additionally, borrowing operations on the platform have been temporarily halted, the team added.