Cyber Incident Victim: Syncswap
Date:
Jul 2023
Location:
United States of America
Summary
A lending application on the zkSync network suffered a $3.4 million exploit through a read-only reentrancy attack, where the attacker manipulated contract functions to report outdated reserve values, exploiting vulnerabilities in callback mechanisms and reserve updates. The incident impacted stablecoin USDC+, resulting in additional losses exceeding $261,000 and prompting both the affected protocol and the stablecoin issuer to pause their contracts to mitigate further damage. Blockchain security analysts highlighted the exploit's sophistication, noting that similar vulnerabilities could exist in other projects derived from the same codebase due to challenges in detecting such attacks during audits.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 25, 2023, blockchain security firm CertiK reported that Era Lend, a lending application operating on the zkSync network, suffered a $3.4 million exploit due to a read-only reentrancy attack. The attacker, using externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a, executed two transactions exploiting a vulnerability in the protocol's callback and _updateReserves function. This attack manipulated contracts into reporting outdated reserve values before updates were processed, enabling fund drainage. Era Lend, identified as a fork of the Syncswap project, had its vulnerability exposed through this method, where an attacker could burn assets and trigger callbacks prior to reserve updates—causing oracles to relay incorrect data. On-chain investigator Spreek highlighted this sequence, noting the protocol's failure to prevent state inconsistencies during transaction processing. The attack specifically targeted Era Lend's zkSync contracts, a layer-2 Ethereum rollup network that had surpassed $110 million in total value locked earlier that year.
Following the exploit, Era Lend's team acknowledged the breach and paused all zkSync contracts to contain further damage. The incident also impacted stablecoin issuer Overnight Finance, whose USDC+ stablecoin lost approximately $261,000 (7.86% of its collateral backing) due to interconnected exposure. Overnight Finance confirmed the vulnerability and similarly paused its contracts. CertiK warned that other projects derived from Syncswap's codebase might share this vulnerability, as the root cause involved a systemic flaw in handling reentrancy during read operations. Blockchain investigator Officer’s Notes had previously documented the challenge of detecting such exploits in a June 7 blog post, noting auditors often overlook non-state-modifying entry points during security reviews. The incident underscored operational risks in decentralized finance protocols relying on forked codebases without comprehensive vulnerability assessments for edge-case attack vectors.