DEFISECURITY

zkSync lending leader EraLend exploited in attack, resulting in a loss of over $3.4 million

share
zkSync lending leader EraLend exploited in attack, resulting in a loss of over $3.4 million

A lending protocol on Ethereum's zkSync, EraLend, fell victim to a "reentrancy attack" exploit, resulting in a loss of $3.4 million. The team has confirmed the incident and assured that the situation is under control. They advise users to refrain from depositing $USDC temporarily and to halt all lending services. The thriving development within the Zksync ecosystem over the past six months has also made it a target for hackers.

EraLend Suffers Severe Attack

Attack Originated from Exploiting Vulnerability

According to blockchain security company CertiK's announcement, EraLend, the largest lending protocol on Ethereum zkSync, suffered an attack yesterday resulting in a loss of $3.4 million due to a vulnerability exploit related to a "Read-only Reentrancy Attack."

Security analyst Spreek pointed out on Twitter here that the hacker drained funds in two transactions by repeatedly calling a specific function in one transaction, disrupting the original multi-step verification process, allowing the contract to continue executing malicious operations without being updated, thus withdrawing funds beyond its authorization.

It is reported that this vulnerability is difficult for auditors to detect, and smart contracts need to be regularly upgraded to minimize the possibility of successful attacks.

Certik claims that due to EraLend's relationship with Syncswap, other projects related to Syncswap may also have this vulnerability, making them susceptible to attacks.

DefiLlama data shows that its Total Value Locked (TVL) dropped by over 73% in less than a day, leaving only $5 million, putting its operations in jeopardy.

Subsequent Actions by Development Team

Shortly after the attack, the EraLend team released a statement on their Discord here:

We have investigated and confirmed the attack on EraLend, assuring users that the situation is under control and the hacker can no longer continue the attack.

They added that only the USDC pool was affected, and all other assets are safe. As a precaution, the team also advised users not to deposit $USDC temporarily, and the platform has suspended all lending services.

What is EraLend?

EraLend is an Ethereum-based L2 lending protocol on zksync, a zero-knowledge proof. It aims to achieve low-risk features without relying on external liquidity, simplifying user experience and increasing capital efficiency.

The flourishing development of DeFi ecosystem in the first half of the year has also led to explosive growth of zksync. The network's TVL broke through an unprecedented $195 million last week, still on the rise, making it a lucrative target for hackers.