Overview

EraLend, a leading decentralized lending protocol operating on the zkSync Layer 2 network, has fallen victim to a ‘read-only reentrancy attack,’ leading to a significant loss of $3.4 million.

About EraLend

EraLend is a trailblazer in the DeFi lending market, offering a state-of-the-art protocol that prioritizes capital efficiency and risk reduction. Powered by zkSync, EraLend supports nearly all crypto tokens, facilitating peer-to-peer lending with exceptional speed and minimal costs. EraLend is pioneering the first native suite of lending products on zkSync, setting its sights on propelling DeFi mass adoption. Through these groundbreaking endeavors, EraLend is redefining standards and shaping the future of finance.

About the attack

The attacker capitalized on a vulnerability within the smart contract code that allowed them to perform repeated calls to a function within a single transaction. This allowed them to withdraw more funds than they were entitled to, depleting resources in two distinct transactions using an externally owned account.

Notably, the exploit involved manipulating a contract to report outdated values that hadn’t yet been updated. Consequently, this had repercussions on the stablecoin USDC+, issued by the Overnight Finance protocol, resulting in a potential loss of over $261,000, which represents approximately 7.86% of the total value of the collateral supporting the stablecoin. EraLend tweeted about the exploit to inform users:

🚨Security Update: We've experienced a security incident on our platform today. The threat has been contained. We've suspended all borrowing operations for now and advise against depositing USDC. We're working with partners and cybersecurity firms to address this.
More updates…

— EraLend | The #1 Money Market on zkSync🥇 (@Era_Lend) July 25, 2023

In response to the attack, EraLend took immediate action by suspending the protocol’s zkSync contracts to mitigate further exploits. They also advised users against depositing USDC until the issue had been resolved. Borrowing operations on the platform have also been temporarily halted as the team works with cybersecurity firms to address this issue.

The attack strategy leveraged was a “read-only reentrancy attack," a method that doesn’t alter the status of a contract but managed to drain a substantial amount of money from the platform. The attacker managed to trick the contract into reporting out-of-date values using a flaw in “the callback and _updateReserves function.”

We are assisting @Era_Lend to this issue, and the root cause has been identified. The total loss is ~$3.4M.
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:https://t.co/H4A2suVLai
Attacker address:
0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a https://t.co/InhCCW7QAy

— BlockSec (@BlockSecTeam) July 25, 2023

EraLend is resolute in its commitment to bolstering its security infrastructure to safeguard user funds and restore the confidence of its community. Despite the attack, the company remains committed to its ambitious plan to establish an ecosystem of interoperable chains named “Hyperchains” by December 2023.

More on the attack

The attack on EraLend primarily exploited the LP (Liquidity Pool) tokens as collateral. The attacker was able to manipulate LP token pricing, leading to significant losses. The exploit may have occurred due to EraLend allowing these LP tokens as collateral

Moreover, the attack on EraLend had a ripple effect on other platforms within the ecosystem, most notably Overnight.fi. The latter utilized EraLend similarly to Aave elsewhere, where they borrowed ETH against USDC and provided delta-neutral LP positions on Mute.io. As a result of the exploit, Overnight.fi’s USDC/ETH LP position on Mute.io, tied to EraLend, saw a drop in value, prompting users to sell their holdings on the platform. Overnight.fi has since paused USD+ on zkSync and is working with EraLend to maximize recovery efforts.

Furthermore, Peckshield, a blockchain security service, confirmed a price oracle issue related to the exploit. This tool, critical for determining current market prices, faced disruptions due to the attack, leading to inconsistencies in its calculations.

Aftermath of the Attack

While the total loss incurred by EraLend amounts to approximately $3.4 million, a secondary attack transaction involving $1 million USDC has been reported. This raises concerns about potential further losses, underscoring the gravity of the situation.

EraLend, after identifying the exploit, quickly issued a statement acknowledging the security incident and assuring its users that the threat had been contained. The protocol suspended all borrowing operations and advised users against depositing USDC until the situation had been resolved. EraLend also reassured its users that all assets other than USDC remained secure.

However, this incident has raised concerns over the potential vulnerabilities that may exist within the broader DeFi ecosystem. It serves as a potent reminder of the importance of robust security measures and constant vigilance in the world of decentralized finance.

Prevention of Future Attacks

In the aftermath of the attack, developers and industry experts highlighted the importance of implementing proper coding techniques to prevent such security breaches. One such preventive measure is a technique called “checks-effects-interactions,” which ensures that a smart contract always checks all the inputs and conditions before executing any state changes, then executes all state changes before interacting with any other contracts.

Through this incident, EraLend has shown commitment to maintaining the highest security standards and taking proactive measures to safeguard its users’ funds. The protocol is working with partners and cybersecurity firms to address the issues and mitigate the impact of the attack. EraLend’s commitment to strengthening its security infrastructure, despite the setback, reinforces the protocol’s dedication to its user community and the broader DeFi ecosystem.

Conclusion

In conclusion, the recent EraLend exploit underscores the urgent need for enhanced security measures in DeFi. Despite the setback, EraLend remains steadfast in bolstering its protocols to safeguard users. The incident not only challenges EraLend but also serves as a stark reminder for the broader DeFi ecosystem about potential vulnerabilities.