Era Lend, a decentralized lending protocol operating on zkSync Layer 2, become the latest victim of a reentrancy attack that resulted in a loss of $3.4 million, as confirmed by security analysts at BlockSec.
The attack exploited a read-only reentrancy vulnerability that allowed the hacker to make repeated calls to a function within a single transaction, withdrawing more funds than they were entitled to. Taking advantage of a faulty price oracle that Era Lend relied upon, the attacker used the reentrancy exploit to further drain assets from the protocol.
Typically, view functions labeled as read-only are considered safe, often lacking reentrancy protection since they don’t change the contract’s state. The term “read-only” indicates that the function merely performs a view action, such as calculating a token balance based on a third-party pool’s supply. In this incident, the third-party was another decentralized exchange called SyncSwap. However, as this case demonstrates, these functions can be manipulated to siphon off substantial funds.
“The attacker altered the LP’s price during the burn/mint actions of SyncSwap, using its reserves to determine the LP price [on Era Lend],” Lei Wu, co-founder and CTO of BlockSec, told The Block. “All projects that utilize the SyncSwap code should remain alert.”
“We have detected and confirmed a cyber attack on our platform. We want to assure you that the attack has been contained, and the threat actor can no longer continue their actions,” Era Lend said in a statement on Discord.
It clarified that only the USDC pool was compromised, while the security of assets other than USDC remains intact.
As a precautionary measure, the team advised users to refrain from depositing USDC for the time being. Additionally, borrowing operations on the platform have been temporarily halted, the team added.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
