{"id":55214,"date":"2023-07-26T05:57:10","date_gmt":"2023-07-26T09:57:10","guid":{"rendered":"https:\/\/coinscreed.com\/staging\/?p=55214"},"modified":"2023-07-26T11:56:40","modified_gmt":"2023-07-26T15:56:40","slug":"defi-platform-era-lend-exploited-on-zksync","status":"publish","type":"post","link":"https:\/\/coinscreed.com\/staging\/defi-platform-era-lend-exploited-on-zksync\/","title":{"rendered":"Defi Platform Era Lend Exploited on zkSync"},"content":{"rendered":"\n

According to security company CertiK<\/a>, the lending app Era Lend on zkSync was hacked for $3.4 million in cryptocurrency. <\/p>\n\n\n\n

\"Defi
Defi Platform Era Lend Exploited on zkSync<\/figcaption><\/figure>\n\n\n\n

The hacker employed a “read-only reentrancy attack,” a kind of assault that stops a multi-step process and then makes it resume after a malicious action has been carried out, to drain the cash. To be more precise, a “read-only” reentrancy does not change the status of a contract.<\/p>\n\n\n\n

\n

#CertiKSkynetAlert\r\n \r\n \r\n \r\n <\/g>\r\n \r\n \r\n \r\n <\/clipPath>\r\n <\/defs><\/svg><\/span><\/a>\ud83d\udea8

We are seeing reports that @Era_Lend<\/use><\/svg><\/span><\/a> has been exploited on zkSync

Total losses appear to be $3.4 million in a read only reentrancy attack

See more below \ud83d\udc47https:\/\/t.co\/h8xrjccE5i<\/use><\/svg><\/span><\/a><\/p>— CertiK Alert (@CertiKAlert) July 25, 2023<\/use><\/svg><\/span><\/a><\/blockquote>

The report claims the attacker used the externally held account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a to drain money in two transactions. <\/p>\n\n\n\n

The attacker used a flaw in “the callback and _updateReserves function” to trick a contract into reporting out-of-date values. The Syncswap project<\/use><\/svg><\/span><\/a> was forked into Era Lend, and according to CertiK, additional Syncswap-based projects may also be vulnerable.<\/p>\n\n\n\n

The Syncswap function reportedly allows users to “burn, then callback before update_reserves is called,” which causes the oracle to return false values, according to on-chain sleuth and Twitter user<\/a> Spreek.<\/p>\n\n\n\n

The Era Lend team confirmed the assault and suspended the protocol's zkSync contracts to stop additional attacks, according to Spreek. The hack hit the Overnight Finance protocol's stablecoin USDC+, according to another blockchain researcher who goes by the handle Saul on Twitter. <\/p>\n\n\n\n

According to Saul, the Overnight team has acknowledged the exposure and suspended its own contracts. It's possible that more than $261,000, or 7.86% of the collateral supporting the stablecoin, was lost.<\/p>\n\n\n\n

Pseudonymous blockchain researcher Officer's Notes explained read-only reentrancy attacks in a blog post on June 7. They claimed that auditors have a hard time finding these vulnerabilities because “typically, auditors and bug hunters are only concerned with entry points that modify state when looking for reentrancy.”<\/p>\n\n\n\n

Officer's Notes advises auditors to utilize specialist tools to help them uncover these vulnerabilities to help ease this issue. Era Lend is based on the zkSync network, an Ethereum layer-2 rollup with zero-knowledge proof<\/a>. <\/p>\n\n\n\n

The network's total locked value surpassed $110 million in April. By the end of the year, the network's developers want to have built a “Hyperchains” ecosystem of cooperative chains.<\/p>\n","protected":false},"excerpt":{"rendered":"

According to security company CertiK, the lending app Era Lend on zkSync was hacked for $3.4 million in cryptocurrency. The hacker employed a “read-only reentrancy attack,” a kind of assault that stops a multi-step process and then makes it resume after a malicious action has been carried out, to drain the cash. To be more […]<\/p>\n","protected":false},"author":43,"featured_media":55218,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[21],"tags":[15466,12489],"class_list":["post-55214","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-era-lend","tag-zksync"],"jetpack_featured_media_url":"https:\/\/coinscreed.com\/staging\/wp-content\/uploads\/2023\/07\/croc_1690363922561.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/55214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/users\/43"}],"replies":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/comments?post=55214"}],"version-history":[{"count":0,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/posts\/55214\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media\/55218"}],"wp:attachment":[{"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/media?parent=55214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/categories?post=55214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/coinscreed.com\/staging\/wp-json\/wp\/v2\/tags?post=55214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}