Cyber Incident Victim: Era Lend

On or around July 25, 2023, the lending application Era Lend, operating on the zkSync network, was exploited, resulting in a loss of approximately $3.4 million worth of cryptocurrency. The incident was identified and reported by the blockchain security firm CertiK, which classified the attack as a “read-only reentrancy attack.” This specific type of cyber attack functions by interrupting a multi-step process within a smart contract and then causing that process to continue its execution after a malicious action has been surreptitiously performed. The defining characteristic of a read-only reentrancy, as opposed to other forms, is that it does not update the state of the contract itself during the attack, instead manipulating the contract into reporting outdated values that have not been properly refreshed, which creates a critical vulnerability for exploitation.

The attacker executed the drain of funds through two separate transactions originating from the externally owned account with the address 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. The technical vulnerability exploited was specifically located within the callback mechanism and the _updateReserves function of the protocol's smart contract code. By leveraging this flaw, the attacker was able to manipulate the contract into providing old, unupdated reserve values. This manipulation of data is central to the attack's success, as it allowed the malicious actor to withdraw funds based on incorrect and inflated asset valuations that did not reflect the current state of the protocol's liquidity pools, thereby enabling the substantial financial drain.

Era Lend is identified as a fork of the Syncswap project, a detail that underscores a broader potential risk within the ecosystem. Following the attack, CertiK issued a warning that other projects which are also based on the Syncswap codebase might possess the same vulnerability and could therefore be susceptible to a similar exploit. This suggests the incident was not necessarily an isolated flaw unique to Era Lend's implementation but potentially a systemic issue inherent in the forked code from which it was derived. The concern for other protocols was further validated by on-chain analysis from various investigators.

The technical intricacies of the exploit were elaborated upon by an on-chain sleuth and Twitter user known as Spreek. According to their analysis, the vulnerability in the Syncswap code allows a user to initiate a burn action and then execute a callback function before the critical update_reserves function is called. This specific sequence of operations creates a window of opportunity for an attacker to interact with the contract while its reported state is inaccurate. The oracle, which supplies price data, consequently reports these incorrect reserve values, which the attacker then uses to their advantage to withdraw a disproportionate amount of assets from the lending pool. This detailed explanation provides a clearer mechanism for how the read-only reentrancy was practically executed against the protocol.

In response to the attack, the Era Lend team acknowledged the security breach and took immediate action to mitigate further losses. The primary response involved pausing the protocol’s contracts on the zkSync network. This emergency measure effectively halted all operations and prevented any additional transactions from being processed, thereby stopping the attacker from performing any further exploits and draining more funds from the compromised system. The pause is a standard reactive procedure in decentralized finance incidents to contain the damage while a full assessment and remediation plan are developed.

The ramifications of the attack extended beyond the Era Lend protocol itself. Another blockchain investigator, identified on Twitter as Saul, reported that the stablecoin USDC+, issued by the Overnight Finance protocol, was affected by the exploit. The connection appears to be that USDC+ was included among the assets within the Era Lend pools that were compromised. Following this revelation, the Overnight team also acknowledged their exposure to the incident and proceeded to pause their own contracts as a precautionary measure. Saul's analysis estimated that over $261,000 was lost, which represented approximately 7.86% of the total value of the collateral that was backing the USDC+ stablecoin at the time of the attack. This collateral damage highlights the interconnected nature of DeFi protocols, where an exploit on one platform can have direct financial consequences on other integrated projects and their associated assets.

The nature of the vulnerability exploited in this incident, the read-only reentrancy attack, had been previously detailed in a June 7 blog post by a pseudonymous blockchain investigator known as Officer’s Notes. The post explained that this category of attack is particularly difficult for security auditors and bug hunters to identify. The primary reason for this difficulty is that traditional audit practices often focus scrutiny on entry points that modify the state of a contract when searching for reentrancy vulnerabilities. Since a read-only reentrancy does not involve state modification in the same way, it can easily evade standard manual review processes. Officer’s Notes recommended that to effectively combat these sophisticated threats, auditors should employ specialized software tools designed specifically to detect such nuanced and complex vulnerabilities, moving beyond purely manual inspection methods.

The incident occurred on the zkSync network, which is a zero-knowledge proof-based Ethereum layer-2 rollup designed to enhance scalability and reduce transaction costs. Prior to the exploit, the zkSync ecosystem had been experiencing significant growth, with its total value locked (TVL) surpassing $110 million in April of the same year. The network's developers have ambitious plans to develop an ecosystem of interoperable chains termed “Hyperchains” by the end of the year. The attack on a prominent application like Era Lend represents a significant security challenge for the emerging zkSync ecosystem, underscoring the critical importance of robust smart contract auditing and security practices as layer-2 solutions continue to expand and attract more capital and users. The event serves as a stark reminder of the persistent risks inherent in the rapidly evolving DeFi landscape.