Era Lend, a decentralized lending protocol on the zkSync Layer 2 network, suffered an exploit on Tuesday.
🚨Security Update: We've experienced a security incident on our platform today. The threat has been contained. We've suspended all borrowing operations for now and advise against depositing USDC. We're working with partners and cybersecurity firms to address this.
— EraLend | The #1 Money Market on zkSync🥇 (@Era_Lend) July 25, 2023
Blockchain security analysts at BlockSec initially estimated that total losses from the exploit amounted to around $3.4 million, however, the EraLend team later confirmed that approximately $2.76 million was stolen from its USDC pool.
The attacker carried out a “read-only re-entrancy attack,” which introduced a malicious contract into the vulnerable contract’s normal series of functions. The attacker took advantage of Era Lend Syncswap price oracle, which contained the vulnerability, to drain a larger number of assets from the protocol.
According to BlockSec, all projects that utilize Syncswap’s code could be at risk of a similar type of exploit.
The funds were distributed to a number of different addresses on Ethereum, Arbitrum and Optimism, which were eventually consolidated into four wallets on Ethereum, blockchain security firm CertiK noted in an incident analysis.
“We want to assure you that the attack has been contained, and the threat actor is no longer able to continue their actions. The scope of impact is currently being assessed and will be further announced,” wrote a member of the Era Lend team on its Discord channel.
In a Twitter update a few hours later, Era Lend informed users that it had begun issuing refunds and urged them to revoke all their app approvals to the platform.
Era Lend has also paused borrowing, USDC supply, and Syncswap liquidity pool supply and reduced the interest rate on the USDC pool to prevent open borrowing positions from potentially being liquidated.