Blockchain security firm CertiK has reported that lending app Era Lend on zkSync has been exploited for $3.4 million worth of crypto using a "read-only reentrancy attack". The attacker used a vulnerability in the "callback and _updateReserves function" to manipulate a contract into reporting old values that had not yet been updated. Other projects based on Syncswap may also be vulnerable to the exploit. The Era Lend team has acknowledged the attack and paused the protocol's zkSync contracts to prevent further exploits.
Welcome Back
Click “Sign in” to agree to Cointime’s Terms of Service and acknowledge that Cointime’s Privacy Policy applies to you.
Join CoinTime
Already have an account?
Click “page.Sign up” to agree to Cointime’s <a class="underline" href="#term-of-service">Terms of Service</a> and acknowledge that Cointime’s a class="underline" href="#privacy-policy">Privacy Policy</a> applies to you.
Sign in with email
Sign up with email
Your email
Check your inbox
Click the link we sent to to sign in.
Click the link we sent to to sign up.
Era Lend on zkSync Exploited for $3.4 Million in Read-Only Reentrancy Attack
-
Wechat scan to share
Recommended for you
-
Cosine: After a user used GPT to write a bot with a backdoor code, the private key was sent to a phishing website
SlowMist Yu Xian stated in a post on the X platform that a user used GPT to write a bot with code and sent the private key to a phishing website. The reason why the private key was stolen was because it was directly sent to the phishing website in the HTTP request body. Yu Xian reminded that when using LLM such as GPT/Claude, one must pay attention to the common fraudulent behavior of these LLM. It was previously mentioned that AI poisoning attacks were carried out, and now this is a real attack case targeting the crypto industry. -
Polymarket Blocks French Users Amid Government Investigation into Gambling Law Compliance
Polymarket has blocked users from France following reports of an investigation by the country's gaming authority for compliance with gambling laws. The ban was not stated in Polymarket's terms of service, but French users attempting to access the website using a VPN from a French server were met with a digital blockade. The ANJ, France's national gaming authority, began investigating Polymarket after a French trader placed large bets on Donald Trump winning the 2024 US Presidential election. -
Yao Qian, former director of the Science and Technology Supervision Department of the China Securities Regulatory Commission, was expelled from the party and removed from public office for allegedly u
the Discipline Inspection and Supervision Team of the Central Commission for Discipline Inspection and the National Supervision Commission stationed in the China Securities Regulatory Commission and the Supervision Commission of Shantou City, Guangdong Province, recently conducted disciplinary review and supervision investigations into Yao Qian, former director of the Science and Technology Supervision Department of the China Securities Regulatory Commission and former director of the Information Center, for serious violations of discipline and law. -
SlowMist: Will help law enforcement agencies track down the stolen funds from DEXX. Currently, about 2,000 suspicious addresses have been roughly identified.
SlowMist announced on X platform that its team will assist law enforcement agencies in tracking stolen funds and analyzing related clues. A complete list of hacker addresses will soon be released with DEXX. Currently, about 2,000 suspicious addresses have been roughly identified. -
DEXX: If all assets are recovered, full compensation will be given immediately
DEXX, the on-chain trading terminal, has released an update regarding the previous security incident. DEXX has officially filed a lawsuit and the SlowMist team is actively assisting law enforcement in the follow-up investigation. At the same time, DEXX is actively discussing compensation plans. Regarding compensation: -
SlowMist: DEXX incident has identified more than 900 victims, with total losses estimated at $21 million
blockchain security company SlowMist announced that as of November 18th, the DEXX incident report has been updated: more than 1,100 reports of funds being stolen have been received from the community. After removing duplicate reports, it has been confirmed that there are more than 900 victims, with a total estimated loss of $21 million (affected by price fluctuations). Loss details (so far): -
Warning: Multiple Dexx user emails have been subjected to abnormal login attempts. It is recommended to change the passwords of the associated accounts in time.
On November 18th, OneKey Security Lab issued a security warning. Multiple users of the Dexx trading platform reported abnormal login attempts on their associated email accounts. OneKey recommends that users take immediate security measures, especially for those who use the same password for logging in to Dexx and their email: 1) immediately change the password for all Web2 accounts that use the same password; 2) completely abandon any leaked password combinations; 3) pay special attention to the security of email accounts that contain sensitive information and are associated with multiple authentications. -
Polterfinance left a message to the hacker: If the funds are returned in time, no legal action will be taken
On November 18th, Polterfinance, a lending project on the Fantom chain, left a message to the hacker on the chain, stating: "If the funds can be returned in a timely manner, we are willing to negotiate and will not take legal action. Please send the funds to the corresponding address on the Fantom chain (starting with 0x6cA0). If further communication is needed, please reply to this message." Earlier today, Polterfinance reported that it was attacked on the Fantom chain, with over $7 million in encrypted assets stolen. The attacker initially obtained the funds through Tornado Cash on Ethereum, which were later bridged to Fantom. -
He Yi: Telegram accounts have been maliciously reported and banned. Users should be wary of scams impersonating related accounts
Binance co-founder He Yi posted on social media that "my Telegram account has been maliciously reported and banned. If someone claims to be Yi on Telegram, it is a scam." -
CertiK Chief Security Officer: The number of security incidents as of September 2023 has exceeded the total in 2022
On October 23, at the ETH HK Side Event, a Web3 ecosystem security forum jointly held by CertiK and OKLink in Causeway Bay, Hong Kong, Professor Li Kang, Chief Security Officer of CertiK, shared his views on digital asset security construction. He pointed out that according to CertiK's statistics, the number of security incidents as of September 2023 has exceeded the total number in 2022. Hacking attacks and fraudulent behavior are still important threats, seriously hindering the development of the Web3 industry. Li Kang also mentioned the revolutionary feature of transparency in the Web3 field. The entire ecosystem can reduce security risks through public and transparent measures, such as asset management solutions. At the event, leaders from the Hong Kong Investment Promotion Agency, OKLink, and BlockSec shared their related work and latest developments in Web3 security construction. For example, CertiK and OKLink have received responses from multiple exchanges in asset tracking locking and data labeling. Finally, Li Kang hopes to further strengthen Hong Kong's position as a Web3 innovation gateway in the rapidly growing Asia-Pacific region through this sharing, and jointly promote the safe application and landing of Web3 technology.
Daily Must-Read
-
Uniswap Labs, UNI holders could make $468M a year from new L2: DeFi Report
-
Avalanche Foundation to buy back nearly 2M AVAX sold to Terra in 2022
-
Gold Fever Hits Costco: 77% of Stores Sell Out Amid Soaring Demand for Bullion
-
$500M Bitcoin Buried in Landfill: Man Sues City After Decade-Long Battle for Recovery
-
Former BAYC creative director Jeff Nicholas joins Meta’s Reality Labs
-
Why is Solana's Dogwifhat (WIF) memecoin crashing?
All Comments