Crypto Lending Protocol EraLend Loses $3.4M in zkSync Exploit
EraLend was exploited on zkSync resulting in a total loss of $3.4 million.
The EraLend team said that the threat has been contained and all borrowing operations have been suspended for now.
Users are advised against depositing USDC into EraLend.
EraLend, the crypto lending protocol on zkSync, today experienced an exploit that resulted in a total loss of $3.4 million, according to smart contract audit service provider, BlockSec.
We are assisting @Era_Lend to this issue, and the root cause has been identified. The total loss is ~$3.4M.— BlockSec (@BlockSecTeam) July 25, 2023
Specifically, this is a read-only re-entrancy attack.
Another attack tx is:https://t.co/H4A2suVLai
The EraLend team said that the threat has been contained and all borrowing operations have been suspended for now. Users are advised against depositing USDC into EraLend.
Twitter user Saul noted that some of Overnight.fi’s USD+ backing on zkSync is EraLend and urged users to sell their USD+ if they have any on zkSync. Saul said that the exploit was likely caused by EraLend allowing Liquidity Pools (LP) as collateral.
According to Saul’s calculations, Overnight.fi held 786,162 USDC in EraLend and borrowed around 283.0596 ETH ($524,509). This resulted in a potential maximum loss of $261,652. Considering USD+’s supply of 3,330,769, the maximum loss would be approximately 7.86%.
In a Discord message to users, Overnight.fi assured users that most of its assets are outside of EraLend and that it has paused USD+ on zkSync. The platform is working wth EraLend on recovering users’ funds.
Peckshield, a leading blockchain security and data analytics company, confirmed a price oracle issue that has impacted LP token pricing. The exploit was triggered by a reentrancy problem, leading to inconsistencies in the swap pool state. The price oracle, a critical tool responsible for determining current market prices, faced disruptions in its calculations due to this issue. Consequently, the program’s ability to track user transactions through the swap pool state exhibited irregularities.
“In the syncswap LP tokens, one can burn, then callback before update_reserves is called. So the oracle uses an incorrect reserves value to calculate the price, resulting in an inflating oracle price,” Crypto Twitter influencer spreekaway explained. BlockSec alerted users to be vigilant when using the callback and update reserves SyncSwap code.
EraLend confirmed that only USDC was affected by the exploit and all other assets remain secure. The team will provide updates to the community as more information becomes available.
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.