The Exploited Vulnerability
The DeFi protocol EraLend has recently fallen victim to a re-entrancy attack, resulting in a loss of $3.4 million worth of cryptocurrency. The attack, which took place on Tuesday, targeted a vulnerability that allowed the hacker to execute multiple calls to a function within a single transaction. This exploit enabled the attacker to withdraw more funds than should have been possible.
Impacted Stablecoin and Response
As of now, only deposits made in the stablecoin USD Coin (USDC) appear to have been affected. The news of the attack was initially shared on Twitter by a community member, prompting EraLend to acknowledge and express gratitude for flagging the incident. In a response, EraLend stated, “As we continue to work with multiple parties to resolve this, we hope that you will continue to keep a close eye on this ongoing investigation.”
“As we continue to work with multiple parties to resolve this, we hope that you […] will continue to keep a close eye on this ongoing investigation.” – EraLend Team
Subsequently, the blockchain security firm BlockSec reported on the attack and revealed its involvement in assisting EraLend with the handling of a “read-only re-entrancy attack.” On EraLend’s Discord server, the team assured users that the attack has been contained, and the perpetrators are no longer able to carry out any further actions.
Precautionary Measures
In order to safeguard funds, EraLend has temporarily suspended all borrowing operations. Users are advised to refrain from depositing USDC until further notice. The protocol expressed its active investigation into the matter and pledged to provide timely updates to the community as more details emerge.
“We are actively investigating this matter and will provide timely updates to our community as more information becomes available.” – EraLend Team
EraLend operates as a lending and borrowing protocol on the zkSync layer 2 network. The platform claims to be one of the most capital efficient solutions in the DeFi space, offering competitive lending and borrowing rates. Additionally, EraLend positions itself as a safer alternative to other protocols, emphasizing its independence from oracles and external liquidity.
Similar Attack on Conic Finance
This re-entrancy attack bears resemblance to the recent exploit suffered by the DeFi protocol Conic Finance. In an analogous incident, hackers unlawfully drained $3.2 million worth of Ether (ETH) by exploiting an Omnipools vulnerability. In response, Conic Finance enforced maximum safety measures and temporarily shut down all Omnipools.
“In response to this and given today’s ETH exploit, we immediately enforced maximum safety measures and temporarily shutdown all Omnipools.” – Conic Finance Team
