Introduction
On July 25, 2023, the zkSync Era-based lending protocol EraLend announced a security incident. After an initial investigation, CertiK found that EraLend had been attacked by a read-only reentrant attack, resulting in a total loss of approximately $2.7 million.
Event Summary
EraLend suffered a read-only reentrancy attack on the zkSync mainnet. The attack was performed by address 0xf1D 07, where the attacker used a flash loan to manipulate the EraLend price oracle. EraLend used Syncswap trading pairs as price oracles, which had a read-only reentrancy vulnerability. The attacker was able to destroy tokens and call back before _updateReserves was called, causing the oracle to calculate prices based on unupdated reserves.
The code under attack, sourced from Syncswap Github
The EraLend team released a statement saying that "the attack has been contained and the attackers are no longer able to continue their actions. The scope of the impact is currently being assessed and further announcements will be made later." Users are advised not to deposit USDC to EraLend at this time.
Asset Tracking
CertiK traced the stolen funds to multiple EOA (Externally Owned Address) addresses controlled by the attacker, involving Ethereum, Arbitrum, and Optimism networks. Most of the funds were integrated into four wallets on the Ethereum network.
Wallets containing stolen funds
About reentrancy attacks
2020 data:
Total loss amount: $62,936,849.00
Total reentrancy attacks: 6
Average loss per attack (USD++++++++): $ 10, 489, 474.83
2021 data:
Total loss amount: $67,924,596.28
Total reentrancy attacks: 7
Average loss per attack (USD): $9,703,513.75
2022 data:
Total loss amount: $18,403,869.53
Total reentrancy attacks: 8
Average loss per attack (USD): $2,300,483.69
2023 data:
Total loss amount: $14,121,542.00
Total reentrancy attacks: 7
Average loss per attack (USD): $ 2, 017, 363.14
Flash Loan Attacks: A Growing Threat
Flash loan attacks have become a growing concern in the cryptocurrency and blockchain space in 2023. There have been 128 incidents this year, compared to 101 attacks in 2022. These attacks exploit vulnerabilities in smart contracts to maximize profits.
Flash loans allow users to borrow large amounts of money without collateral, but must repay the loan in the same transaction. Attackers have abused this feature, resulting in losses totaling $255 million to date, with an average loss of about $2 million per incident.
In the first three weeks of July, 22 attacks have occurred, resulting in losses of $8.5 million, while the average flash loan attacks per month in 2023 is 18. July and February 2023 each set records of 22 attacks per month. This highlights the importance of understanding DeFi risks and building safer smart contracts in the cryptocurrency space. Vigilance and prevention are necessary to safely navigate this volatile space.
Flash loan attack losses in 2023 (by month)
Flash loan attack losses in 2023 (by month)
Summarize
EraLend was CertiK’s second-largest reentrancy attack in July, with a total loss of $6.4 million due to flash loan attacks this month.
So far, there have been 3 reentrancy attacks in July. The total losses from reentrancy attacks in July were $6.4 million, an average of $2.1 million per attack. So far in 2023, there have been 7 reentrancy attacks, with a total loss of approximately $14.1 million, an average of $2 million per attack. It is worth noting that this year's data only covers July so far, and no attacks or losses have been reported from August to December so far. So far, the total losses in 2023 may exceed the total losses in 2022, and may even reach the level of 2021, as there are still 5 months to go.
Understanding reentrancy attacks is critical for anyone involved in the blockchain and DeFi space to strengthen security practices and prevent financial losses. The number of flash loan attacks in 2023 demonstrates the need for strong security measures and third-party audits. Check out CertiK Skynet - Web 3 Security, Due Diligence, and Insights to help you understand the security risks behind the projects you want to participate in.
