Crypto Lending Protocol EraLend Loses $3.4M in zkSync Exploit
In Brief
EraLend was exploited on zkSync resulting in a total loss of $3.4 million.
The EraLend team said that the threat has been contained and all borrowing operations have been suspended for now.
Users are advised against depositing USDC into EraLend.
EraLend, the crypto lending protocol on zkSync, today experienced an exploit that resulted in a total loss of $3.4 million, according to smart contract audit service provider, BlockSec.
We are assisting @Era_Lend to this issue, and the root cause has been identified. The total loss is ~$3.4M.
— BlockSec (@BlockSecTeam) July 25, 2023
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:https://t.co/H4A2suVLai
Attacker address:
0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a https://t.co/InhCCW7QAy
The EraLend team said that the threat has been contained and all borrowing operations have been suspended for now. Users are advised against depositing USDC into EraLend.
Twitter user Saul noted that some of Overnight.fi’s USD+ backing on zkSync is EraLend and urged users to sell their USD+ if they have any on zkSync. Saul said that the exploit was likely caused by EraLend allowing Liquidity Pools (LP) as collateral.
According to Saul’s calculations, Overnight.fi held 786,162 USDC in EraLend and borrowed around 283.0596 ETH ($524,509). This resulted in a potential maximum loss of $261,652. Considering USD+’s supply of 3,330,769, the maximum loss would be approximately 7.86%.
In a Discord message to users, Overnight.fi assured users that most of its assets are outside of EraLend and that it has paused USD+ on zkSync. The platform is working wth EraLend on recovering users’ funds.
Peckshield, a leading blockchain security and data analytics company, confirmed a price oracle issue that has impacted LP token pricing. The exploit was triggered by a reentrancy problem, leading to inconsistencies in the swap pool state. The price oracle, a critical tool responsible for determining current market prices, faced disruptions in its calculations due to this issue. Consequently, the program’s ability to track user transactions through the swap pool state exhibited irregularities.
“In the syncswap LP tokens, one can burn, then callback before update_reserves is called. So the oracle uses an incorrect reserves value to calculate the price, resulting in an inflating oracle price,” Crypto Twitter influencer spreekaway explained. BlockSec alerted users to be vigilant when using the callback and update reserves SyncSwap code.
EraLend confirmed that only USDC was affected by the exploit and all other assets remain secure. The team will provide updates to the community as more information becomes available.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Cindy is a journalist at Metaverse Post, covering topics related to web3, NFT, metaverse and AI, with a focus on interviews with Web3 industry players. She has spoken to over 30 C-level execs and counting, bringing their valuable insights to readers. Originally from Singapore, Cindy is now based in Tbilisi, Georgia. She holds a Bachelor's degree in Communications & Media Studies from the University of South Australia and has a decade of experience in journalism and writing. Get in touch with her via cindy@mpost.io with press pitches, announcements and interview opportunities.
More articles
Cindy is a journalist at Metaverse Post, covering topics related to web3, NFT, metaverse and AI, with a focus on interviews with Web3 industry players. She has spoken to over 30 C-level execs and counting, bringing their valuable insights to readers. Originally from Singapore, Cindy is now based in Tbilisi, Georgia. She holds a Bachelor's degree in Communications & Media Studies from the University of South Australia and has a decade of experience in journalism and writing. Get in touch with her via cindy@mpost.io with press pitches, announcements and interview opportunities.
