An attacker targeted the EraLend lending protocol on the zkSync Era network, stealing digital assets worth $3.4 million.
Representatives of the project confirmed the breach. The developers halted all lending operations and advised users not to make new deposits.
The EraLend team is now working with security firm BlockSec to investigate the incident.
Likely, the hacker used a read-only re-entry exploit on the DEX SynсSwap. This allowed the hacker to manipulate the price oracle for withdrawing wrapped ETH and USDC.
\”The attacker changed the price of liquidity tokens during SyncSwap’s burn or mint actions, using its reserves to set its own rate. All projects using code from the affected exchange should stay vigilant,\” said BlockSec.
According to data L2BEAT, from July 5 the total value locked in the L2-network zkSync Era over the last 20 days fell from $735 million to $437 million — by 40%. Over the same period competitor StarkNet increased by 80%, from $71 million to $128 million.
In July, the hacker withdrew from the DeFi protocol Rodeo Finance $1.5 million by manipulating the oracle.
Subsequently the attacker targeted Alphapo. Losses from the breach totaled about $60 million.
In the first half of 2023, the crypto industry faced 395 hacks, losing about $479.4 million.