A July 25 report from blockchain safety agency CertiK stated zkSync’s lending app Period Lend had $3.4 million value of cryptocurrency stolen. Attackers used a “read-only reentrancy assault” to exfiltrate funds. This can be a sort of assault that interrupts a multi-step course of and continues after a malicious motion has been taken. Particularly, “read-only” reentrancy is one that doesn’t replace the state of the contract.

In response to the report, the attackers used the externally owned account 0xf1D076c9Be4533086f967e14EE6aFf204D5ECE7a to exfiltrate funds in two separate transactions. Attackers used the “callback and _updateReserves operate” vulnerability to control the contract to report outdated values ​​that had not but been up to date.

Learn extra on Cointelegraph