The zkSync ecological lending protocol EraLend stated on social media that after preliminary investigations, the illegal attack has been determined to be a read-only reentrancy vulnerability.
The attacker manipulated the price of the oracle machine, causing the USDC mining pool to be exploited for about $2.76 million. All other pools remain safe and unaffected. The attackers used multiple bridges to spread the exploited funds across multiple wallets on various chains.
Currently, funds are spread across 3 blockchains and 8 addresses, which we are monitoring closely. We are actively working with bridges, security teams, exchanges, and law enforcement to investigate and trace the flow of funds.
To limit further impact, we have temporarily halted lending, USDC supply, and SyncSwap LP supply.
In addition, we have significantly reduced the interest rate on the USDC pool to protect affected borrowing positions from potential liquidations during this period.
EraLend suffered a read-only reentrancy attack, with a total loss of $3.4 million.