EraLend, a decentralized lending protocol operating on the zkSync Layer 2, has fallen victim to an exploit resulting in a loss of $3.4 million. The attack was confirmed by security analysts at BlockSec, who have been assisting the protocol in addressing the issue.
Following the attack, EraLend issued a statement acknowledging the security incident and assuring its users that the threat had been contained. The protocol has suspended all borrowing operations and advised users against depositing USDC until further notice.
Re-Entrancy Attack Strikes EraLend
According to BlockSec, the attack was a read-only re-entrancy attack. This attack involves a malicious actor repeatedly entering and exiting a contract function to manipulate the contract’s state and withdraw funds.
A reentrancy attack is an exploit that can occur in smart contracts, which are self-executing computer programs that run on decentralized blockchain networks like Ethereum.
In a reentrancy attack, a malicious user exploits a vulnerability in a smart contract by repeatedly calling a function within the contract before the previous function call has been completed, allowing them to manipulate the contract’s state and potentially steal funds.
When a smart contract function is called, the contract’s state is updated before the function call is completed. Suppose the called function interacts with a second contract before the first function call is completed. In that case, the second contract can call back into the first contract’s function, potentially changing the contract’s state multiple times before the original function call completes.
This can allow an attacker to manipulate the contract’s state and steal funds.
To prevent reentrancy attacks, developers can use a technique called “checks-effects-interactions.” This means that a smart contract should always check all the inputs and conditions before executing any state changes, and then execute all state changes before interacting with any other contracts.
This ensures the contract’s state is updated before external interactions occur, preventing reentrancy attacks. In this case, the attacker exploited a vulnerability in EraLend’s contract code that repeatedly allowed them to withdraw funds without the protocol’s knowledge.
EraLend has identified the root cause of the attack and is working with partners and cybersecurity firms to address the issue. The protocol has assured users that it will take all necessary steps to mitigate the attack’s impact and prevent similar incidents from occurring in the future.
While there have been no further updates, it is clear that EraLend is committed to maintaining the highest security standards and taking proactive measures to safeguard its users’ funds and data.
Featured image from Unsplash, chart from TradingView.com