- Onechain analysts have detected suspicious activity on the Era Lend platform. The administration later confirmed the hack.
- The attacker used a “re-entry” vulnerability to manipulate the LP rate. The exact amount of the damage is unknown, the approximate amount is $3.4 million.
The largest lending protocol on the zkSync blockchain called Era Lend has been hacked. The probable loss is $3.4 million.
According to analyst agency Certik, the hacker used a “re-entry” vulnerability to influence the LP token exchange rate. We described this exploit in detail in a piece about the Conic Finance DeFi protocol hack.
Anomalous activity on the platform was also discovered by an anonymous expert under the pseudonym spreekaway. Judging by his data, the hacker first withdrew $1.7 million in USDC, then another $1 million, followed by the rest of the amount.
We note that the exact damage is still unknown. Era Lend’s administration confirmed the hack and noted that it had been blocked, but also warned users not to deposit funds on the platform just yet:
“A security incident occurred on our platform today [July 24, 2023]. The threat has been contained. At this time, we have suspended all lending operations and advise against placing USDCs. We are working with cybersecurity experts and companies as part of the investigation.”
According to a screenshot of a corporate email from spreekaway, the hack only affected the USDC pool:
The total amount of capital blocked on the platform dropped from $18.5 million to $10.75 million, according to DeFiLlama data. With this in mind, the likely damage from the attackers’ actions may be much greater than that recorded at the time of writing.