In the world of crypto, security is not only a concern, but a necessity. Yet, despite the industry’s best efforts, vulnerabilities persist, with recent exploits undeniably proving this point.
Lending app Era Lend on zkSync experienced a sobering $3.4 million exploit. This wasn’t the result of a flamboyant hacker attack; instead, it was a “read-only reentrancy” bug. As intricate and tame as it sounds, the effects were anything but. The subtle exploit instrumental in interrupting a multi-step process before engaging in a malicious action in an interrupted process.
Era Lend, a fork of the Syncswap project, wasn’t an easy target. The attacker had to navigate around the app’s safeguards before draining funds in two separate transactions from the Era Lend. A vulnerability in the “the callback and _updateReserves function” was exploited, manipulating a contract into reporting values that had not yet been updated.
However, while this incident rattled Era Land’s trust, it also acted as a wake-up call for projects hinged on Syncswap. According to CertiK, these projects are potentially exposed to similar threats, with the striking revelation bringing immense attention to the issue.
Lending app Era Lend on zkSync exploited for $3.4 million.
Notably, not all contracts attacked need to have their state updated. Rather, read-only reentrancy attacks can be as devastating without triggering massive alarm bells. According to Officer’s Notes, a blockchain investigator, these vulnerabilities can indeed be rather elusive for auditors. The answers may lie in making use of specialized software to detect these sophisticated exploits.
The impact of this exploit was not limited to Era Lend. The attack reverberated across the zkSync network, trickling down to the stablecoin USDC+, backed by the Overnight Finance protocol. The aftermath saw about $261,000 worth of collateral, equating to 7.86% of its total value, likely gone.
In the heart of this incident resides a concern for better security measures. But on the other hand, the unconventional nature of the exploit, which did not require a state change in the contract, could rewrite how we approach blockchain security. This incident underlines the need for advanced tools and strategies for assuring extensive audit capabilities, thereby fortifying the cryptocurrency landscape.
Source: Cointelegraph