On 25 July, 2023 zkSync Era-based lending protocol EraLend announced it has experienced a security incident. After an initial investigation, CertiK discovered that EraLend was exploited in a read-only reentrancy attack, leading to a total loss of approximately $2.7 million.
EraLend was exploited in a read-only reentrancy attack on the ZkSync mainnet. The attack was carried out by EOA 0xf1D07 which manipulated the EraLend price oracle in a flash loan attack. EraLend uses the Syncswap pair as a price oracle dependency which contains a read-only reentrancy vulnerability. The attacker is able to burn tokens and then callback before _updateReserves is called. This causes the oracle to calculate the price based on incorrect reserves.
The EraLend team released a statement, saying “the attack has been contained, and the threat actor is no longer able to continue their actions. The scope of the impact is currently being assessed and will be further announced.” Users are advised against depositing USDC into EraLend at this time.
CertiK traced the stolen funds to multiple EOAs controlled by the exploiter to addresses on Ethereum, Arbitrum and Optimism. The majority of the funds were consolidated into four wallets on the Ethereum network.
2020:
Total amount lost: $62,936,849.00
Total number of reentrancy attacks: 6
Average USD lost per attack: $10,489,474.83
2021:
Total amount lost: $67,924,596.28
Total number of reentrancy attacks: 7
Average USD lost per attack: $9,703,513.75
2022:
Total amount lost: $18,403,869.53
Total number of reentrancy attacks: 8
Average USD lost per attack: $2,300,483.69
2023:
Total amount lost: $14,121,542.00
Total number of reentrancy attacks: 7
Average USD lost per attack: $2,017,363.14
In 2023, there's been a worrying rise in flash loan attacks in the world of cryptocurrencies and blockchain. Compared to 101 attacks in 2022, this year has already seen 128 incidents. These attacks exploit vulnerabilities in smart contracts to maximize profits.
Flash loans allow users to borrow a large sum of money without collateral, but they must repay the loan within the same transaction. Attackers are misusing this feature, resulting in $255 million in losses so far, averaging just under $2 million per incident.
In the first three weeks of July, there have been 22 attacks causing $8.5 million in losses, and the average monthly flash loan attacks in 2023 are 18. July and February 2023 hold the record with 22 incidents each in a month. This highlights the need for understanding DeFi risks and building more secure smart contracts in the cryptocurrency space. Vigilance and precaution are essential to navigate this volatile landscape safely.
The EraLend is the second largest reentrancy attack that CertiK has alerted for the month of July, which has seen a combined total of $6.4 million lost to this type of flashloan attack this month.
July has seen a total of 3 reentrancy attacks thus far. The total number of losses for reentrancy attacks is $6.4M with an average of $2.1M lost per incident for the month of July. There have been a total of 7 reentrancy attacks thus far for 2023 for a total loss of $14.1M, averaging $2M loss per attack. It is worth noting that the data for the current year only extends until July, and there were no reported attacks or losses for the months of August to December thus far. The total amount lost so far in 2023 could exceed the total loss from the previous year of 2022 or rather more reach as high as the year 2021 did, with just 5 months remaining.
To read more about what a Reentrancy Attack is, CertiK has published a blog called "What is a Reentrancy Attack". It provides valuable insights and information about reentrancy attacks in the context of blockchain and decentralized applications. The blog explains how reentrancy attacks work, the potential risks they pose to smart contracts, and how developers and users can protect themselves against such vulnerabilities. Understanding reentrancy attacks is crucial for anyone involved in the blockchain and DeFi space to enhance security practices and prevent financial losses. The volume of flash loan attacks in 2023 demonstrates the need for robust security measures and third party audits. Check CertiK Skynet - Web3 Security, Due Diligence and Insights to help you understand the security risks behind projects you wish to engage with.