Funds were stolen in a classic reentrancy attack.
On July 25, EraLend suffered a reentrancy attack that an unknown bad actor used to steal approximately $3.4 million worth of cryptocurrency.
Reentrancy attacks are a type of cyberattack that affects smart contracts and are one of the most common attacks against DeFi protocols.
In it, bad actors identify security vulnerabilities in smart contract code in order to repeatedly call functions within the contract before completing the previous function call. If executed properly, these function calls can manipulate the price of tokens in the smart contract, allowing the attacker to extract more money from the protocol than they should.
Lack of Exploited Oracles
EraLend, a purportedly (according to their own website) low-risk zkSync decentralized lending protocol formerly known as Nexon Finance, avoids the use of oracles, claiming this reduces risk.
“Our lending platform is less risky because it does not rely on oracles and liquidations (external liquidity).”
Unfortunately for them, or rather for their hapless users, their marketing was put to the test and found wanting.
Since the attack on the platform’s USDC storage, all lending operations have been suspended. In addition, EraLend developers have advised the community not to deposit USDC on the platform until the issue is resolved.
Cybersecurity firm takes up the case
In order to help EraLend developers restore order to the platform and possibly even uncover the identities of those behind the attack, multiple cybersecurity firms and other partners have been contacted, with BlockSec confirmed to have participated in the post-incident investigation of the attack.
The breach was initially announced by cybersecurity researchers Spreek and Saul, and it is unclear whether the total value of damages will stop at $3.4 million.
“Apparently the likely cause is a read-only reentrancy affecting the pricing of LP tokens. Not sure about the size of the hack, could be much bigger. Still trying to figure out this carpet tile explorer rip.”
While the amount stolen pales in comparison to hacks like those affecting Ronin or Harmony, every bit of stolen cryptocurrency adds up.
Last year, the total value stolen from cryptocurrency investors topped $10 billion when investment scams, outright fraud, and other malicious schemes are taken into account. Today’s attack is yet another reminder to do your own research before investing your hard-earned money into any platform.
