CertiK, a number one blockchain safety agency, has issued an pressing Skynet Alert after receiving a number of reviews of the defi platform Period Lend falling sufferer to an exploitation on zkSync.
Losses are at present estimated to be round $3.4 million.
One other hacking
CertiK, a blockchain safety expertise firm that ceaselessly tweets about vulnerabilities, hacks and exploits within the area, identifies the assault as a “read-only reentrancy assault,” strategically concentrating on the platform’s multi-step processes, permitting the malicious actor to empty the funds whereas leaving little to no hint.
By definition, a “read-only reentrancy assault” is a technique utilized by hackers to disrupt the pure circulation of transactions inside a wise contract. The attacker interrupts a sequence of operations after which manipulates the contract to proceed executing malicious actions with out updating its state.
The report goes on to focus on that the attacker drained funds utilizing two separate transactions from the account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a, by which they discovered a vulnerability within the callback and _updateReserves operate that allowed them to govern a contract into reporting previous values that had not but been up to date.
The Period Lend group promptly acknowledged the assault and took fast motion to safeguard their protocol’s zkSync contracts.
The platform then went on to launch a assertion on Discord that shared that solely the USDC pool was compromised and, as a precautionary measure, customers ought to chorus from depositing this asset in the intervening time.
Since Period Lend is a fork within the Syncswap undertaking, which goals to carry easy-to-use decentralized finance (defi) and scales Ethereum (ETH) to the lots, Certik additionally means that different tasks utilizing Syncswap could possibly be targets of the exploit.