Project loss borne by users? Stablecoin USD discounted by 30% overnight

Users bear project loss? 30% overnight discount on stablecoin USD

On the evening of July 25th, EraLend, the lending protocol with the highest TVL on zkSync, was suddenly hacked. The hacker manipulated the price of the oracle and obtained approximately $2.76 million from EraLend’s USDC pool, while other pools were unaffected. After the incident, EraLend suspended borrowing activities in all pools as well as depositing functions in the USDC pool and SyncSwap LP pool.

In this attack, not only EraLend users were affected, but it also caused a chain reaction. Holders of the stablecoin USD++ also suffered losses.

Who is USD+?

USD+ is a stablecoin product issued by overnight.fi, which is deployed on multiple chains such as OP, Arb, and zkSync. Unlike common stablecoins backed by fiat reserves, this product is not directly linked to fiat currency but is pegged 1:1 to USDC.

• What are the noteworthy catalysts after Velodrome V2?
• An in-depth analysis of LPDFi Can it spark the next wave of DeFi narrative? What are the projects worth paying attention to?
• Binance Research Current Status and Project Progress of the RWA Market

Another attractive feature of USD+ is that holding the stablecoin generates income. The project team invests the reserve assets in multiple DeFi protocols. Therefore, this product can be understood as a money market fund in the DeFi world, with USD+ generating a yield of 1% to 5%, and profits are distributed daily.

The benefits of using USD+, as stated in the official documentation, are as follows: avoiding in-depth market research and frequent trading, participating in numerous DeFi protocols, and obtaining income without the need for collateral. Additionally, the official documentation explicitly states, “Please note that you will bear the risks of all protocols in USD+ collateral.”

If everything goes well (as expected by the project team), users can have a fully on-chain, decentralized stablecoin asset that generates interest simply by holding it. This all sounds very promising. However, things didn’t go as planned, and EraLend’s security incident took USD+ in a different direction.

When the City Gate Burns, All Fish in the Pool Suffer

Why can USD+ holders generate income? It’s because the project’s reserve assets include a large amount of DeFi assets. Unfortunately, this also includes EraLend deposits.

According to the official statement, USD+ reserve assets were deposited in EraLend and used as collateral to borrow ETH. The two were combined to form the USDC/ETH LP and generate income on mute.io. After the incident, approximately 283 ETH and 520,000 USDC were withdrawn from the LP pool.

The official statement also mentioned that since the project had lent out a large amount of ETH in the LP, the net asset exposure on EraLend was not significant (officially stated as “exposure has been offset”). However, the project still suffered some stablecoin losses.

As of now, Overnight has not disclosed the specific losses in this security incident on social media. However, based on Overnight’s exposure, it can be estimated that Overnight.fi holds $786,162 in EraLend and borrows approximately 283.0596 ETH ($524,509). This results in a potential maximum loss of $261,652, approximately 261,000 US dollars. The current supply of USD+ is 3,330,769, so the potential loss is about 7.86% of the market value.

How does rebase take away user assets?

After the loss occurred, the way Overnight team handled it caused dissatisfaction among all users.

The team stated that they will “rebase” USD+ to restore its price stability. However, the details of how to perform the rebase were not explained in detail on Twitter.

Through multiple user comments and community operations, we finally learned that the so-called rebase means that the current USD+ is re-minted into fewer USD+ based on its reserve value. In other words, users have to bear the loss of this incident.

SyncSwap, another DEX project in the SyncSwap ecosystem, provided a thoughtful explanation to its users. The USD+ team will take a snapshot of USD+ holders and liquidity providers for future compensation of affected funds, but only those who make withdrawals will be included in the snapshot. If users make withdrawals, their balances will be directly reduced through “rebase”.

Twitter user @Jue0123 made a withdrawal of his USD+. But to his surprise, 326 USD+ can only be exchanged for 267 USDC.

Under the official Twitter account, users expressed their complaints, saying, “You stole my money!”

Team operations: Irresponsible, deleting announcements

In addition to the poor handling of asset losses, the public relations attitude towards this incident is equally bad.

After announcing the rebase, Overnight’s official Twitter account began to flood with multiple tweets. It is now difficult to find tweets related to the security incident within the first few screens of the official account.

In addition, the official stated, “You can find more details on our Discord.” However, the Discord announcement disclosing the progress of this security incident is no longer accessible.

On the Overnight official website, we can clearly see three products: USD+, ETS, and USD+ Insurance.

USD+ explicitly states that the product is protected by insurance and “any losses will be compensated from the insurance fund”. USD+ Insurance states that the product collects a portion of the USD+ revenue as a premium, and the losses of USD+ are first paid by the insurance fund.

In fact, not only did the security mechanism of USD+ completely fail, but its insurance mechanism also failed to function, and a series of subsequent processing operations were even more surprising.

What’s even more absurd is that Overnight.fi website has published information about nine team members, claiming that they have worked at Google, Facebook, and other internet companies. However, according to the LinkedIn links provided on the official website, none of these nine people can be found. The entire project is full of doubts.

In the world of blockchain, code is law, but no unilateral promise from any project party is trustworthy.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!