A recent security incident has shaken the lending market as EraLend on ZkSync faced a devastating exploit, resulting in a total loss of approximately $3.4 million. The attack was executed using a read-only reentrancy method, which allowed the attacker to manipulate LP token pricing and siphon significant funds from the platform. As the situation unfolds, cybersecurity experts are working closely with the project and its partners to contain the threat and investigate the root cause behind the breach.
Blocksec Assists EraLend in Identifying the Attack
Blocksec, a cybersecurity firm, has been actively assisting EraLend in investigating the incident. The root cause of the breach has been successfully identified, pointing to a read-only re-entrancy attack as the primary method of exploitation. This attack vector enabled unauthorized access to LP token pricing, resulting in significant financial losses.
The Extent of the Loss and a Secondary Attack Transaction
The total loss incurred by protocol amounts to approximately $3.4 million. This significant sum highlights the severity of the exploit and the need for robust security measures in the decentralized finance space. Additionally, a secondary attack transaction involving $1 million USDC has been reported, raising concerns about the potential for further losses.
EraLend’s Response and Temporary Suspension of Borrowing Operations
In response to the security incident, EraLend promptly suspended all borrowing operations on their platform. As a precautionary measure, they advised users against depositing USDC until the situation is resolved. The platform is actively collaborating with cybersecurity firms and industry partners to address the issue and prevent any further threats to user funds.
Impact on Overnight.fi and USD+ Backing
The security breach at EraLend on ZkSync has had ripple effects on other platforms within the ecosystem, including Overnight_fi. Overnight_fi had utilized EraLend as an equivalent of Aave elsewhere, where they borrowed ETH against USDC and provided delta-neutral LP positions on Mute.io.
As a result of the exploit, Overnight_fi’s USDC/ETH LP position on Mute.io, which was tied to EraLend, prompted users to sell their holdings on the platform. In response, Overnight_fi has paused USD+ on zkSync and will collaborate with EraLend to maximize recovery efforts. It is crucial to note that each chain is managed separately, ensuring that USD+ outside of zkSync remains unexposed to the security breach.
Peckshild Alert: Confirmation of Price Oracle Issue
Peckshield Alert, a blockchain security service, confirmed a price oracle issue related to the exploit. The root cause was identified as a re-entrancy with an inconsistent swap pool state, contributing to the vulnerability that allowed the attack to take place.
Conclusion
The security breach at EraLend on ZkSync has raised serious concerns about the safety of user funds and the need for robust security measures within the decentralized finance space. As the investigation continues, cybersecurity firms and industry partners are working diligently to contain the threat and protect users from future attacks. This incident serves as a crucial reminder for the industry to prioritize security and implement necessary safeguards to safeguard users’ assets and maintain trust in the evolving world of DeFi.