Lending app Period Lend on zkSync has been exploited for $3.4 million value of crypto, based on a July 25 report from blockchain safety agency CertiK. The attacker used a “read-only reentrancy assault” to empty the funds, which is a sort of assault that interrupts a multi-step course of after which causes it to proceed after a malicious motion has been carried out. Particularly, a “read-only” reentrancy is one that doesn’t replace the state of a contract.
Based on the report, the attacker drained funds in two separate transactions utilizing the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a. The attacker relied on a vulnerability in “the callback and _updateReserves operate” to control a contract into reporting outdated values that had not but been up to date.
Proceed Studying on Coin Telegraph