Era Lend, a decentralized lending protocol operating on zkSync Layer 2, become the latest victim of a reentrancy attack that resulted in a loss of $3.4 million, as confirmed by security analysts at BlockSec.

The attack exploited a read-only reentrancy vulnerability that allowed the hacker to make repeated calls to a function within a single transaction, withdrawing more funds than they were entitled to. Taking advantage of a faulty price oracle that Era Lend relied upon, the attacker used the reentrancy exploit to further drain assets from the protocol.

Typically, view functions labeled as read-only are considered safe, often lacking reentrancy protection since they don’t change the contract’s state. The term “read-only” indicates that the function merely performs a view action, such as …