In response to a current report by blockchain safety agency BlockSec, Period Lend, a decentralized lending protocol working on the zkSync Layer 2 community, has fallen sufferer to a ‘read-only reentrancy assault’ leading to a lack of $3.4 million.
The attacker exploited a vulnerability that allowed repeated calls to a perform inside a single transaction, withdrawing extra funds than they had been entitled to. Additionally, the exploit concerned manipulating a contract to report outdated values that hadn’t been up to date but, profiting from a defective worth oracle that Period Lend relied upon.
The impression and response
The assault had repercussions on the stablecoin USDC+, issued by the In a single day Finance protocol, leading to a possible lack of over $261,000, which represents 7.86% of the entire worth of the collateral supporting the stablecoin.
In response to the assault, Period Lend paused the protocol’s zkSync contracts to forestall additional exploits. The crew additionally suggested customers that solely the USDC pool was compromised. In response to an official statement on Discord, the Period Lend crew assured that the safety of different property stays intact—however borrowing operations on the platform have been briefly halted.
“We’ve detected and confirmed a cyber assault on our platform. We need to guarantee you that the assault has been contained, and the risk actor can now not proceed their actions.”
Period Lend Staff
The Period Lend exploit has raised considerations for different initiatives primarily based on the Syncswap mission, from which Period Lend is a fork. Safety analysts have warned that these initiatives may additionally be vulnerable to comparable exploits. The incident underscores the necessity for auditors to make the most of specialised software program to determine these vulnerabilities extra successfully, as read-only reentrancy assaults can evade conventional scrutiny and stay tougher to determine throughout auditing processes.
Period Lend operates on the zkSync community, an Ethereum layer-2 rollup using zero-knowledge proofs. As of April, the entire worth locked within the zkSync community surpassed $110 million. Regardless of the current exploit, the community’s builders have formidable plans to ascertain an ecosystem of interoperable chains named “Hyperchains” by December 2023.
