EraLend (formerly Nexon Finance): Read-Only Reentrancy (SyncSwap LP Callback — Stale Reserves Oracle)

Summary #

EraLend (formerly Nexon Finance) suffered a Lending on 2023-07-25, resulting in a loss of approximately $3M.

What happened #

EraLend lost $3.4M to a read-only reentrancy exploit that was literally described in a comment inside the code they had recycled from SyncSwap — the exploit window existed because they copied the code without understanding the timing risk it documented.

Linked factors #

• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Effectively unaudited — oracle mechanism explicitly excluded from audit scope]
• RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — recent zkSync Era launch] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — recent zkSync Era launch]
• RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
• RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — LP token price spike during reentrancy window detectable in real time if oracle price is monitored against reference]
• RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
• RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — code recycled from SyncSwap; lending architecture borrowed from established patterns]
• RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Unknown — recent zkSync Era launch]