On the evening of July 25th, EraLend, the lending protocol with the highest TVL on zkSync, suffered a hacking attack. The hacker manipulated the price of the oracle and obtained approximately $2.76 million from EraLend's USDC pool, while other pools remained unaffected. After the incident, EraLend suspended borrowing from all pools and depositing into the USDC pool and SyncSwap LP pool.

In this attack, not only EraLend users were affected, but it also caused a chain reaction. Holders of the stablecoin USD+ also suffered losses.

Who is USD+?

USD+ is a stablecoin product issued by overnight.fi, which is deployed on multiple chains such as OP, Arb, and zkSync. Unlike common stablecoins backed by fiat reserves, this product does not have a direct connection with fiat currency but is pegged 1:1 to USDC.

(USD+ asset reserves)

Another attractive feature of USD+ is that holding the stablecoin generates income. The project invests the reserve assets in multiple DeFi protocols. Therefore, this product can be understood as a money market fund in the DeFi world, with USD+ generating a yield of 1% to 5%, and profits being distributed daily.

The official documentation states the advantages of using USD+ as follows: avoiding in-depth market research and frequent trading, participating in various DeFi protocols, and earning income without the need for collateral. In addition, the official document specifically states: "Please note that you will bear the risks of all protocols in the USD+ collateral."

If everything goes well (as expected by the project party), users can have a stable coin asset that can be executed on the chain, decentralized, and earn interest. It all sounds very promising. However, things didn't go as planned, and the security incident of EraLend led USD+ in a different direction.

When the city gate is on fire, the fish in the moat are affected

Why can USD+ holders earn profits? Because the project's reserve assets include a large number of DeFi assets. Unfortunately, EraLend deposits are also among them.

The official statement is that USD+ reserve assets were deposited into EraLend and used as collateral to borrow ETH. The two were combined into USDC/ETH LP and earned profits on mute.io. After the incident, approximately 283 ETH and 520,000 USDC have been extracted from the LP pool.

(Chain Operation Record)

The official stated that because the project team LP lent a large amount of ETH, the net asset exposure on EraLend is not significant (officially described as "the exposure has been offset"). However, the project still faces some stablecoin losses.

So far, Overnight has not disclosed the specific losses in this security incident on social media. However, based on the exposure held by Overnight, Overnight.fi holds $786,162 on EraLend and borrows approximately 283.0596 ETH ($524,509). This leads to a potential maximum loss of $261,652, approximately 261,000 USD. Currently, the supply of USD+ is 3,330,769, so the potential loss is about 7.86% of the market value.

How Does Rebase Take Away User Assets?

After the loss occurred, the way the Overnight team handled it caused dissatisfaction among all users.

The team stated that they will "rebase" USD+ to restore its price stability. However, they did not provide detailed explanations on how to perform the rebase on Twitter.

Through multiple user comments and community operations, we have finally learned that the so-called rebase is to re-issue the current USD+ as a smaller quantity of USD+ based on its reserve value. In other words, users will have to bear the loss caused by this incident.

Another DEX project, SyncSwap, which is also part of the SyncSwap ecosystem, has kindly provided explanations for its users. The USD+ team will take snapshots of USD+ holders and liquidity providers for future compensation of affected funds. However, only those who make withdrawals will be included in the snapshot. If a user makes a withdrawal, their balance will be directly reduced through "rebase".

Twitter user @Jue 0123 withdrew their USD+ tokens and was surprised to find that 326 USD+ could only be exchanged for 267 USDC.

Under the official Twitter account, users are complaining about this. They are saying, "You stole my money!"

Team Operations: Irresponsibility, Deleting Announcements

Aside from the poor handling of asset losses, the PR attitude towards this incident is equally bad.

After announcing the rebase, the official Overnight Twitter account started flooding with multiple tweets. It has become difficult to find any tweets related to the security incident within the first few screens of the official account.

In addition, the official statement said, "You can find more detailed information on our Discord." However, the Discord announcement disclosing the security progress of this incident is no longer accessible.

In the Overnight official website, we can see three products clearly: USD+, ETS, and USD+ Insurance.

USD+ clearly states that this product is protected by insurance, and "any losses will be compensated from the insurance fund." USD+ Insurance, on the other hand, states that a portion of the USD+ returns is collected as a premium, and any losses from USD+ are first paid by the insurance fund.

In reality, not only is the security mechanism of USD+ completely ineffective, but its insurance mechanism has also failed to function. A series of subsequent handling operations is shocking.

What's even more absurd is that Overnight.fi has published information about nine team members and claimed that they have work experiences in Google, Facebook, and other internet companies. However, Odaily searched for the LinkedIn profiles based on the provided links on the official website and found that none of these nine individuals exist. The entire project is full of doubts.

In the world of blockchain, "Code is law," but no unilateral promises from any project can be trusted. Odaily reminds users to pay attention to asset security.