EraLend, a lending protocol on Ethereum’s scaling blockchain, zkSync, faced a substantial exploit that resulted in a loss of $3.4 million, according to an analysis by CertiK, a leading firm in blockchain security.
The incident was described as a read-only reentrancy attack, a complex strategy allowing the perpetrator to tamper with asset prices via repeated calls to a smart contract, effectively looting assets.
🔔 #EraLend Update:
ZkSync attack resulted in $1.7M loss.
Verify your assets for reimbursement here https://t.co/gAnpA0tpph
Check even if no loss. #zkSyncEra pic.twitter.com/h249rQ2DLe
— zkSync ∎ (@_zksnyc) July 25, 2023
EraLend’s total capital locked on the platform took a considerable hit, dropping to $10.75 million from an earlier $18.5 million, as shown in data from DefiLlama.
The lending platform confirmed the security incident in an official statement on social media, noting that the threat was under control.
The tweet read: “We’ve experienced a security incident on our platform today. The threat has been contained. We’ve suspended all borrowing operations for now and advise against depositing USDC. We’re working with partners and cybersecurity firms to address this. More updates to follow.”
Conic Finance was also exploited last week, losing 1700 ETH due to a comparable exploit. The thief initiated a flash loan of 20,000 staked ETH, redirecting these funds to Conic’s price oracle, which set the stage for the exploit.
This vulnerability was subsequently leveraged, together with a manipulation of Conic’s price oracle that sources its data from a read-only smart contract provided by a third party.
