An attacker compromised the EraLend lending protocol on the zkSync Era network, stealing $3.4 million worth of digital assets.
Source: Twitter
Representatives of the project confirmed the hack. The developers suspended all credit transactions and advised users not to make new deposits.
The EraLend team is now liaising with security company BlockSec to investigate the incident.
It is likely that the hacker used a “read-only re-entry” exploit on DEX SyncSwap. This allowed the attacker to manipulate the price oracle to output “wrapped” ETH and USDC.
“The attacker changed the price of the liquidity tokens during SyncSwap’s actions to burn or release [coins], using their reserves to assign their own rate. All projects using the affected exchange’s code should remain on guard,” BlockSec emphasised.
ForkLog newsletters: keep your finger on the pulse of the bitcoin industry!
satoshi@mail.me
Week Results of the Week + Weekday Highlights
According to L2BEAT data, since 5 July, the total blocked value on the L2 network zkSync Era has fallen from $735 million to $437 million over the past 20 days – a 40% drop. Over the same period, rival Starknet’s figure has increased by 80%, from $71m to $128m.
Recall that in July, the hacker withdrew $1.5 million from the DeFi protocol Rodeo Finance through oracle manipulation.
Later, the attacker attacked the project Alphapo. The losses from the hack totalled about $60 million.
During the first half of 2023, the crypto industry faced 395 hacks, losing about $479.4 million as a result.