On July 25, lending app Era Lend on zkSync suffered an exploit resulting in $3.4 million worth of cryptocurrency being drained, according to blockchain security firm CertiK. The attackers used a "read-only reentrancy attack," which interrupts a multi -step process and then continues it after performing a malicious action. In this case, the reentrancy attack did not update the state of the contract, making it harder to detect.
The attackers conducted two transactions using an externally owned account, exploiting a vulnerability in the "callback and _updateReserves function" to manipulate contracts and report old values that had not been updated. Era Lend, a fork of the Syncswap project, was the tar get of the attack, and CertiK warned that other projects based on Syncswap may also be vulnerable to this exploit.
The attack also affected USDC+, a stablecoin issued by the Overnight Finance protocol. The potential loss from this incident is over $261,000, which is about 7.86% of the total value of the collateral backing the stablecoin. Both Era Lend and Overnight Finance acknowledged the attack and suspended their respective contracts to prevent further losses.
In a previous blog post, an anonymous blockchain investigator explained how read-only reentrancy attacks work and noted that it is challenging for auditors to detect these vulnerabilities since they typically focus on entry points that modify state. To improve detection, the investigator suggested that auditors Use specialized software to identify these types of vulnerabilities.
Era Lend operates on the zkSync network, an Ethereum Layer 2 rollup that uses zero-knowledge proofs. In April, the total value locked on the network exceeded $110 million, and the developers plan to create an ecosystem of interoperable chains called "Hyperchains" by the end of the year.
