According to security company CertiK, the lending app Era Lend on zkSync was hacked for $3.4 million in cryptocurrency.
The hacker employed a “read-only reentrancy attack,” a kind of assault that stops a multi-step process and then makes it resume after a malicious action has been carried out, to drain the cash. To be more precise, a “read-only” reentrancy does not change the status of a contract.
The report claims the attacker used the externally held account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a to drain money in two transactions.
The attacker used a flaw in “the callback and _updateReserves function” to trick a contract into reporting out-of-date values. The Syncswap project was forked into Era Lend, and according to CertiK, additional Syncswap-based projects may also be vulnerable.
The Syncswap function reportedly allows users to “burn, then callback before update_reserves is called,” which causes the oracle to return false values, according to on-chain sleuth and Twitter user Spreek.
The Era Lend team confirmed the assault and suspended the protocol’s zkSync contracts to stop additional attacks, according to Spreek. The hack hit the Overnight Finance protocol’s stablecoin USDC+, according to another blockchain researcher who goes by the handle Saul on Twitter.
According to Saul, the Overnight team has acknowledged the exposure and suspended its own contracts. It’s possible that more than $261,000, or 7.86% of the collateral supporting the stablecoin, was lost.
Pseudonymous blockchain researcher Officer’s Notes explained read-only reentrancy attacks in a blog post on June 7. They claimed that auditors have a hard time finding these vulnerabilities because “typically, auditors and bug hunters are only concerned with entry points that modify state when looking for reentrancy.”
Officer’s Notes advises auditors to utilize specialist tools to help them uncover these vulnerabilities to help ease this issue. Era Lend is based on the zkSync network, an Ethereum layer-2 rollup with zero-knowledge proof.
The network’s total locked value surpassed $110 million in April. By the end of the year, the network’s developers want to have built a “Hyperchains” ecosystem of cooperative chains.
