A hacker has attacked landing protocol EraLend on the zkSync Era network and stolen a total of $3.4 million in crypto assets.
Representatives of the project have confirmed the hack and reported the developers have suspended all lending transactions and advised users not to make new deposits.
The EraLend team is currently working with security firm BlockSec to investigate the incident.
The hacker most likely used a "read-only re-entrancy" attack in SynсSwap DEX, which allowed him to manipulate the price oracle to withdraw wrapped ETH and USDC.
According to BlockSec:
"The attacker changed the price of liquidity tokens during SyncSwap's [coin] burning or issuing activity, using its reserves to set its own rate. All projects using the affected exchange's code should remain on alert."
According to L2BEAT, since July 5, the total value blocked on the zkSync Era L2 network has fallen from $735 million to $437 million in the last 20 days, a 40% drop.