Eralend is a decentralized lending protocol hosted on zkSync. The protocol suffered a hack in July 2023 in which an attacker exploited a read-only reentrancy vulnerability to steal approximately $3.4 million from the protocol.
Inside the Attack
The Eralend hack was made possible by a reentrancy vulnerability within the Eralend smart contracts. The attacker was able to repeatedly call a vulnerable function within a single transaction. This exploitation of the reentrancy vulnerability allowed the attacker to manipulate the token values tracked by the project’s internal oracle. As a result, the attacker was able to drain an estimated $3.4 million from the smart contract’s USDC assets.
The vulnerable smart contract included code taken from SyncSwap that contained vulnerabilities. In fact, the vulnerable function included a comment that noted that the function waited to update reserve values, which is what created the read-only reentrancy vulnerability. However, this code was left untouched, leaving the protocol vulnerable to attack.
Lessons Learned from the Attack
The Eralend hack is particularly painful because the protocol bragged that it was a more secure option than other projects because it avoided the use of external oracles and external liquidity. However, vulnerabilities in the contract’s code made it vulnerable to attack.
Exploitation of read-only reentrancy vulnerabilities has become common in recent months. Check back soon for a blog explaining read-only reentrancy vulnerabilities.