EraLend, a leading decentralized lending protocol operating on the zkSync Layer 2 network, has fallen victim to a ‘read-only reentrancy attack,’ leading to a significant loss of $3.4 million.
EraLend is a trailblazer in the DeFi lending market, offering a state-of-the-art protocol that prioritizes capital efficiency and risk reduction. Powered by zkSync, EraLend supports nearly all crypto tokens, facilitating peer-to-peer lending with exceptional speed and minimal costs. EraLend is pioneering the first native suite of lending products on zkSync, setting its sights on propelling DeFi mass adoption. Through these groundbreaking endeavors, EraLend is redefining standards and shaping the future of finance.
About the attack
The attacker capitalized on a vulnerability within the smart contract code that allowed them to perform repeated calls to a function within a single transaction. This allowed them to withdraw more funds than they were entitled to, depleting resources in two distinct transactions using an externally owned account.
Notably, the exploit involved manipulating a contract to report outdated values that hadn’t yet been updated. Consequently, this had repercussions on the stablecoin USDC+, issued by the Overnight Finance protocol, resulting in a potential loss of over $261,000, which represents approximately 7.86% of the total value of the collateral supporting the stablecoin. EraLend tweeted about the exploit to inform users:
🚨Security Update: We've experienced a security incident on our platform today. The threat has been contained. We've suspended all borrowing operations for now and advise against depositing USDC. We're working with partners and cybersecurity firms to address this.
— EraLend | The #1 Money Market on zkSync🥇 (@Era_Lend) July 25, 2023
In response to the attack, EraLend took immediate action by suspending the protocol’s zkSync contracts to mitigate further exploits. They also advised users against depositing USDC until the issue had been resolved. Borrowing operations on the platform have also been temporarily halted as the team works with cybersecurity firms to address this issue.
The attack strategy leveraged was a “read-only reentrancy attack," a method that doesn’t alter the status of a contract but managed to drain a substantial amount of money from the platform. The attacker managed to trick the contract into reporting out-of-date values using a flaw in “the callback and _updateReserves function.”
We are assisting @Era_Lend to this issue, and the root cause has been identified. The total loss is ~$3.4M.
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:https://t.co/H4A2suVLai
— BlockSec (@BlockSecTeam) July 25, 2023
EraLend is resolute in its commitment to bolstering its security infrastructure to safeguard user funds and restore the confidence of its community. Despite the attack, the company remains committed to its ambitious plan to establish an ecosystem of interoperable chains named “Hyperchains” by December 2023.
More on the attack
The attack on EraLend primarily exploited the LP (Liquidity Pool) tokens as collateral. The attacker was able to manipulate LP token pricing, leading to significant losses. The exploit may have occurred due to EraLend allowing these LP tokens as collateral
Moreover, the attack on EraLend had a ripple effect on other platforms within the ecosystem, most notably Overnight.fi. The latter utilized EraLend similarly to Aave elsewhere, where they borrowed ETH against USDC and provided delta-neutral LP positions on Mute.io. As a result of the exploit, Overnight.fi’s USDC/ETH LP position on Mute.io, tied to EraLend, saw a drop in value, prompting users to sell their holdings on the platform. Overnight.fi has since paused USD+ on zkSync and is working with EraLend to maximize recovery efforts.
Furthermore, Peckshield, a blockchain security service, confirmed a price oracle issue related to the exploit. This tool, critical for determining current market prices, faced disruptions due to the attack, leading to inconsistencies in its calculations.
Aftermath of the Attack
While the total loss incurred by EraLend amounts to approximately $3.4 million, a secondary attack transaction involving $1 million USDC has been reported. This raises concerns about potential further losses, underscoring the gravity of the situation.
EraLend, after identifying the exploit, quickly issued a statement acknowledging the security incident and assuring its users that the threat had been contained. The protocol suspended all borrowing operations and advised users against depositing USDC until the situation had been resolved. EraLend also reassured its users that all assets other than USDC remained secure.
However, this incident has raised concerns over the potential vulnerabilities that may exist within the broader DeFi ecosystem. It serves as a potent reminder of the importance of robust security measures and constant vigilance in the world of decentralized finance.
Prevention of Future Attacks
In the aftermath of the attack, developers and industry experts highlighted the importance of implementing proper coding techniques to prevent such security breaches. One such preventive measure is a technique called “checks-effects-interactions,” which ensures that a smart contract always checks all the inputs and conditions before executing any state changes, then executes all state changes before interacting with any other contracts.
Through this incident, EraLend has shown commitment to maintaining the highest security standards and taking proactive measures to safeguard its users’ funds. The protocol is working with partners and cybersecurity firms to address the issues and mitigate the impact of the attack. EraLend’s commitment to strengthening its security infrastructure, despite the setback, reinforces the protocol’s dedication to its user community and the broader DeFi ecosystem.
In conclusion, the recent EraLend exploit underscores the urgent need for enhanced security measures in DeFi. Despite the setback, EraLend remains steadfast in bolstering its protocols to safeguard users. The incident not only challenges EraLend but also serves as a stark reminder for the broader DeFi ecosystem about potential vulnerabilities.