Introduction
On July 25, 2023, EraLend, a zkSync Era-based lending protocol, announced a security incident. After preliminary investigation, CertiK found that EraLend had suffered a read-only reentrancy attack, resulting in a total loss of approximately $2.7 million.
Summary of the Incident
EraLend was attacked by a read-only reentrancy attack on the ZkSync mainnet. The attack was executed by address 0xf1D07, and the attacker manipulated EraLend’s price oracle using a flash loan. EraLend used Syncswap trading pairs as the price oracle, which had a read-only reentrancy vulnerability. The attacker was able to destroy tokens and perform callbacks before _updateReserves was called, causing the oracle to calculate prices based on outdated reserves.
- The Fed raises interest rates to the highest level in 22 years, Powell warns that there will be no interest rate cuts this year.
- Why is the market capitalization of USDC only half of what it was a year ago?
- Analyzing the moat and barriers to entry of blue-chip DeFi projects market share, product design…
The EraLend team released a statement stating that “the attack has been contained and the attacker can no longer continue their actions. The scope of the impact is currently being assessed and will be further disclosed.” Users are advised not to deposit USDC into EraLend at this time.
Asset Tracking
CertiK has tracked the stolen funds being transferred to multiple EOA (Externally Owned Address) addresses controlled by the attacker, involving Ethereum, Arbitrum, and Optimism networks. Most of the funds have been consolidated into four wallets on the Ethereum network.
About Reentrancy Attacks
2020 Data:
Total loss amount: $62,936,849.00
Total reentrancy attack count: 6
Average loss per attack (USD): $10,489,474.83
2021 Data:
Total loss amount: $67,924,596.28
Total reentrancy attack count: 7
Average loss per attack (USD): $9,703,513.75
2022 Data:
Total loss amount: $18,403,869.53
Total reentrancy attack count: 8
Average loss per attack (USD): $2,300,483.69
2023 Data:
Total loss amount: $14,121,542.00
Total reentrancy attack count: 7
Average loss per attack (USD): $2,017,363.14
Flash Loan Attacks: A Growing Threat
In 2023, flash loan attacks in the cryptocurrency and blockchain field are becoming increasingly concerning. Compared to 101 attacks in 2022, there have been 128 incidents so far this year. These attacks exploit vulnerabilities in smart contracts to maximize profits.
Flash loans allow users to borrow large amounts of funds without collateral, but the loan must be repaid within the same transaction. Attackers have abused this feature, resulting in a total loss of $255 million to date, with an average loss of approximately $2 million per incident.
Within the first three weeks of July, there have been 22 attacks, resulting in a loss of $8.5 million. The average number of flash loan attacks per month in 2023 is 18. July and February of 2023 both set records with 22 attacks per month. This highlights the importance of understanding DeFi risks and building safer smart contracts in the cryptocurrency field. Vigilance and prevention are necessary conditions for safe navigation in this volatile field.
Flash loan attack loss amount in 2023 (monthly)
Flash loan attack loss quantity in 2023 (monthly)
Summary
EraLend is the second largest reentrancy attack event that occurred in July, resulting in a total loss of $6.4 million this month due to flash loan attacks.
So far, there have been three reentrancy attacks in July. The total loss from reentrancy attacks in July is $6.4 million, with an average loss of $2.1 million per attack. As of 2023, there have been seven reentrancy attacks, with a total loss of approximately $14.1 million and an average loss of $2 million per attack. It is worth noting that the data for this year only includes information up to July, and there have been no reported attacks or losses for August to December. So far, the total loss in 2023 may exceed the total loss in 2022 and even reach the level of 2021, as there are still five months left until the end of the year.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
