EraLend, zkSync Era’s largest cryptocurrency lending protocol, has been the victim of a hack worth over $3.4 million. EraLend has temporarily suspended all withdrawal operations and advised users not to deposit funds until further notice.
EraLend suffers major hack on zkSync Era
EraLend, zkSync Era’s largest cryptocurrency lending protocol in terms of total locked value (TVL), has suffered a hack worth over $3.4 million. According to DefiLlama data, EraLend lost over 62% of its initial TVL as a result.
First reported by Spreek, the hack was then confirmed directly by EraLend teams on Twitter, who claim that the risks have been averted, although the damage has been done:
Security Update: We’ve experienced a security incident on our platform today. The threat has been contained. We’ve suspended all borrowing operations for now and advise against depositing USDC. We’re working with partners and cybersecurity firms to address this.
More updates…– EraLend | The 1 Money Market on zkSync (@Era_Lend) July 25, 2023
” Security update: we encountered a security incident on our platform today. The threat has been contained. We have suspended all borrowing operations for the time being and advise against depositing USDC. We are working with partners and cybersecurity companies to resolve this issue. “
A “read-only reentrance” issue is said to be to blame, a flaw that allowed the hacker to flood the smart contract with repeated calls on a single transaction in order to manipulate the price of cryptocurrencies and steal them. In other words, the manipulation enabled him to withdraw far more funds than the smart contract should have allowed.
Usually considered secure, the read-only function indicates that the smart contract merely “visualizes” information without having access to it. However, in this case, EraLend relied on an oracle system belonging to the decentralized exchange (DEX) SyncSwap, which itself had a flaw.
The co-founder of blockchain security firm BlockSec told The Block that “all projects using SyncSwap code must remain vigilant”. SyncSwap is zkSync’s largest DEX, with a TVL approaching $80 million.
According to the EraLend team, withdrawal functionality has been temporarily shut down on the protocol, and users of the latter are advised not to deposit any more funds until further notice.
Based on Ethereum (ETH), zkSync is the first layer 2 based on zkRollups technology to be compatible with the Ethereum Virtual Machine (EVM). To find out more about zkSync, please read our dedicated zkSync fact sheet
