DeFi Platform EraLend on zkSync Loses $3.4 Million in Blockchain Exploit

Fredrik Vold
Last updated: | 2 min read
Source: Adobe / _Danoz

Decentralized finance (DeFi) protocol EraLend has lost $3.4 million worth of crypto in a so-called re-entrancy attack.

The attack, which happened on Tuesday, exploited a vulnerability that allowed the hacker to make multiple calls to a function within one single transaction, enabling the person or group to withdraw more money than what should have been possible.

Only deposits in the form of the stablecoin USD Coin (USDC) appears to have been affected for now.

News of the hacking attack was first shared by an individual community member on Twitter, with the EraLend later responding and thanking the user for his “swift action in flagging this attack.”

“As we continue to work with multiple parties to resolve this, we hope that you […] will continue to keep a close eye on this ongoing investigation,” the team wrote.

The news was then reported on by the blockchain security firm BlockSec, which said it is assisting EraLend in the handling of a “read-only re-entrancy attack”:

Attack has been ‘contained’, team says

In a post on EraLend’s Discord server, the EraLend team said the attack has been “contained,” while assuring users that the attackers are “no longer able to continue their actions.”

“As a precautionary measure, we have temporarily suspended all borrowing operations to ensure the safety of funds,” the team wrote, adding that users are advised to avoid depositing USDC until further notice.

“We are actively investigating this matter and will provide timely updates to our community as more information becomes available,” the post said.

A lending and borrowing protocol that operates on the zkSync layer 2 network, EraLend claims to be among the most capital efficient solutions in the DeFi space with a smaller difference between lending and borrowing rates.

The protocol also claims to be a safer choice than competing protocols, saying on its website that it is less risky because it does not depend on oracles and external liquidity.

Conic Finance suffered same attack

A reentrancy attack is the same type of exploit as the DeFi protocol Conic Finance suffered over the weekend.

In Conic Finance’s case, hackers drained $3.2 million worth of Ether (ETH) from the protocol in two separate attacks that exploited an Omnipools vulnerability.

“In response to this and given today’s ETH exploit, we immediately enforced maximum safety measures and temporarily shutdown all Omnipools,” the Conic Finance team said at the time.