On July 25, 2023, EraLend, a zkSync Era-based lending protocol, announced a security incident. After preliminary investigation, CertiK found that EraLend was attacked by a read-only reentrancy attack, resulting in a total loss of approximately $2.7 million.
Summary of the Incident
EraLend suffered a read-only reentrancy attack on the ZkSync mainnet. The attack was executed by the address 0xf1D07, and the attacker manipulated the EraLend price oracle using a flash loan. EraLend uses Syncswap trading pairs as price oracles, which have a read-only reentrancy vulnerability. The attacker was able to destroy tokens and perform a callback before _updateReserves was called, causing the oracle to calculate prices based on outdated reserves.
The EraLend team issued a statement stating that “the attack has been contained and the attacker can no longer continue their actions. The scope of the impact is currently being evaluated and will be further disclosed.” Users are advised not to deposit USDC into EraLend at this time.
- EthSign CEO After talking to 250 investors, how did we find new application scenarios for decentralized electronic signatures?
- Data Insights Comparison of Key Indicators of 6 On-chain Derivative Protocols
- New player in the stablecoin race, what is the background of Binance’s newly launched FDUSD?
CertiK has tracked the stolen funds being transferred to multiple EOA (Externally Owned Address) addresses controlled by the attacker, involving the Ethereum, Arbitrum, and Optimism networks. Most of the funds have been consolidated into four wallets on the Ethereum network.
About Reentrancy Attacks
Data for 2020:
- Total amount lost: $62,936,849.00
- Total number of reentrancy attacks: 6
- Average loss per attack (USD): $10,489,474.83
Data for 2021:
- Total amount lost: $67,924,596.28
- Total number of reentrancy attacks: 7
- Average loss per attack (USD): $9,703,513.75
Data for 2022:
- Total amount lost: $18,403,869.53
- Total number of reentrancy attacks: 8
- Average loss per attack (USD): $2,300,483.69
Data for 2023:
- Total amount lost: $14,121,542.00
- Total number of reentrancy attacks: 7
- Average loss per attack (USD): $2,017,363.14
Flash Loan Attacks: A Growing Threat
In 2023, flash loan attacks in the cryptocurrency and blockchain space are becoming increasingly concerning. Compared to 101 attacks in 2022, there have been 128 incidents so far this year. These attacks exploit vulnerabilities in smart contracts to maximize profits.
Flash loans allow users to borrow large amounts of funds without collateral, but they must repay the loan within the same transaction. Attackers abuse this feature, resulting in a total loss of $255 million to date, with an average loss of approximately $2 million per incident.
Within the first three weeks of July, there have been 22 attacks resulting in a loss of $8.5 million, while the average monthly number of flash loan attacks in 2023 is 18. Both July and February of 2023 set a record of 22 attacks per month. This highlights the importance of understanding the risks of DeFi and building safer smart contracts in the cryptocurrency field. Vigilance and prevention are necessary conditions for safe navigation in this volatile field.
Flash Loan Attack Losses in 2023 (by month)
Number of Flash Loan Attacks in 2023 (by month)
EraLend is the second-largest reentrancy attack event that occurred in July, resulting in a total loss of $6.4 million due to flash loan attacks this month.
So far, there have been 3 reentrancy attacks in July. The total loss from reentrancy attacks in July is $6.4 million, with an average loss of $2.1 million per attack. As of 2023, there have been 7 reentrancy attacks with a total loss of approximately $14.1 million, averaging $2 million per attack. It is worth noting that the data for this year only includes statistics up to July, and there have been no reported attacks or losses related to August to December. So far, the total loss in 2023 may exceed the total loss in 2022 and even reach the level of 2021, as there are still 5 months remaining until the end of the year.