EraLend, a decentralized lending protocol operating on the zkSync Layer 2, recently encountered an exploit that resulted in a loss of $3.4 million. Requiring immediate attention, the attack was promptly identified by security analysts at BlockSec, who have been actively assisting EraLend in resolving the issue and fortifying their security measures.

BlockSec confirmed that the attack on EraLend took the form of a read-only re-entrancy attack. This type of attack involves a malicious actor repeatedly entering and exiting a contract function to manipulate the contract’s state and illicitly withdraw funds. Unfortunately, reentrancy attacks can be detrimental to smart contracts, particularly those executed on decentralized blockchain networks such as Ethereum.

Amidst a reentrancy attack, a malicious user exploits a vulnerability in a smart contract by continually invoking a function within the contract, even before the previous function call has been completed. This manipulation allows the attacker to alter the contract’s state and potentially abscond with funds.

The critical factor lies in the timing of the function calls. As the state of a smart contract is amended before the completion of a function call, if the called function interacts with another contract before its initial call concludes, the second contract can invoke the first contract’s function. This repetitive invocation allows the attacker to modify the state multiple times, eventually leading to the theft of funds.

Developers can defend against reentrancy attacks by employing the “checks-effects-interactions” technique. This approach necessitates that a smart contract examines all inputs and conditions before executing any state changes. Subsequently, it carries out all state changes before initiating interactions with other contracts. By ensuring that the contract’s state is updated before any external interactions occur, reentrancy attacks can be successfully prevented.

Understanding the urgency of the situation, EraLend has successfully identified the root cause of the attack and is actively collaborating with partners and cybersecurity firms to rectify the vulnerabilities within their contract code. The protocol has been resolute in its commitment to implementing essential measures to minimize the impact of the attack and prevent any recurrence of similar incidents in the future.

EraLend acknowledges the importance of maintaining the highest security standards, particularly in the realm of decentralized lending. While no further updates have been released at the time of writing, EraLend’s dedication to providing an uncompromised level of safeguarding for its users’ funds and data remains paramount.

Disclaimer: The information provided in this research report is for informational purposes only and should not be interpreted as financial or investment advice. The NFT and cryptocurrency market is highly volatile, and readers should conduct thorough research before making any investment decisions.