DeFi Protocol Era Lend Hacked for $3.4M in Read-Only Reentrancy Attack

Lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto, according to a July 25 report from blockchain security firm CertiK. The attacker used a “read-only reentrancy attack” to drain the funds, which is a type of attack that interrupts a multi-step process and then causes it to continue after a malicious action has been performed. Specifically, a “read-only” reentrancy is one that does not update the state of a contract.

In the case of Era Lend, the attacker exploited a vulnerability in the way that the contract handled deposits. The contract would allow users to deposit funds and then immediately withdraw them. However, the attacker was able to exploit this by calling the deposit function multiple times in a row, each time withdrawing the funds before the contract had a chance to update its state. This allowed the attacker to drain the contract of funds without actually updating the contract’s state, which made it difficult for auditors to spot the vulnerability.

The attack has been acknowledged by Era Lend in a statement on Discord. 

“We have detected and confirmed a cyber attack on our platform. We want to assure you that the attack has been contained, and the threat actor can no longer continue their actions,”

The attack highlights the importance of security audits for DeFi protocols. Even well-designed protocols can be vulnerable to attack, and it is important to have them audited by experienced security professionals.

Also read: DeFi Platform Conic Finance Drained of $3.2 Million in Security Attack

What is a read-only reentrancy attack?

A read-only reentrancy attack is a type of attack that exploits a vulnerability in the way that a contract handles function calls. The attacker calls a function in the contract, and then before the contract has a chance to update its state, the attacker calls the function again.

This allows the attacker to effectively call the function multiple times in a row, even though the contract only sees it as being called once.

Read-only reentrancy attacks are often difficult to spot because they do not update the state of the contract. This means that they can be difficult for auditors to find, and they can be very difficult to defend against.