EraLend, the largest lending protocol on Ethereum scaling blockchain zkSync, has been hit by a $3.4 million read-only reentrancy attack, according to blockchain security firm CertiK.
The total amount of capital locked on EraLend slumped to $10.75 million from $18.5 million following the exploit, DefiLlama data indicate.
"We've experienced a security incident on our platform today. The threat has been contained. We've suspended all borrowing operations for now and advise against depositing USDC. We're working with partners and cybersecurity firms to address this. More updates to follow," EraLend wrote in a tweet.
A read-only reentrancy bug allows an attacker to manipulate asset prices by flooding a smart contract with repeated calls in order to steal assets.
Decentralized finance (DeFi) protocol Conic Finance was hit by a similar attack last week with the total loss of $3.6 million.
UPDATE (July 25, 13:50 UTC): Removes space from EraLend's name throughout.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.