After EraLend was hacked, I and the victims collaborated remotely to pool funds for self-rescue.

After EraLend hack, victims and I collaborated remotely to pool funds for self-rescue.

On the evening of July 25th, EraLend, the lending protocol with the highest TVL on zkSync, was hacked.

According to the announcement released by EraLend afterwards, the reason for this attack was that the hacker manipulated the oracle price and obtained approximately $2.76 million from EraLend’s USDC pool, while other pools were not affected.

After the incident, in order to contain further impact, EraLend temporarily suspended borrowing from all pools and depositing funds into the USDC pool and SyncSwap LP pool.

Since I am keen on exploring new projects in the blockchain ecosystem, I naturally did not miss EraLend, a relatively popular project with a large user base.

Unfortunately, I happened to have 1000 USDC deposited in EraLend’s USDC pool, so I “luckily” became a direct victim of this incident.

On July 26th, when I opened EraLend’s interface and saw that the size of the USDC pool was almost reduced to zero, and withdrawal seemed hopeless, I could only sigh and say, “It’s really unfortunate.”

Out of curiosity about how the situation would develop, I opened EraLend’s official Discord channel. After browsing through the announcement channel with no progress, I opened the Chinese channel to see if there were any other victims.

Upon entering the channel, I found that although there were some sympathetic people intermittently inquiring about the current situation, more Chinese users were actively discussing another matter – “fishing the pool”.

As if struck by lightning, I instantly realized that there seemed to be a turning point in the situation!

“Fishing the pool” refers to actively monitoring the specific changes in the size of the USDC pool and seeing if there are any new funds flowing in. Then, by initiating one transaction after another, one can slowly “fish” their deposits back from the pool.

So, why is there still a continuous flow of funds into the USDC pool that has been emptied by hackers and has suspended deposits?

The answer lies in the fact that only USDC was affected in EraLend’s recent hack. ETH and SyncSwap LP pools were not affected. Due to concerns about the project’s security, users who had assets in these two pools and used them as collateral to borrow USDC need to repay their USDC debt before they can withdraw their funds (ETH or SyncSwap LP tokens). This constantly brings back debt funds to the USDC pool and provides an opportunity for victims to “fish” their funds back.

Of course, since each debt repayment only brings back an uncertain amount of USDC, and there are many victims hoping to recover their losses by watching the pool, competition becomes fierce. In this situation, the most formidable competitors are scientists who have deployed bots. However, perhaps due to the limited popularity of L2 projects (or more likely, scientists who can understand the code generally won’t fall into such unfortunate situations), many users have stated that manually “fishing” can also have a high success rate.

When I entered the channel, several big shots happened to mention how much funds they had “pulled out”, especially this guy who stayed up all night and “pulled out” 1000 USDC. Because the amount of funds happened to be the same, his statement gave me the determination to make a big move.

So starting from this afternoon at around 2 o’clock, I also started to try to “pull” from the pool.

After several attempts to initiate withdrawal requests on the EraLend front-end but received an error prompt, I finally submitted the first transaction when the balance in the pool was about 4 US dollars, but unfortunately it did not get confirmed on the chain. After asking the big shots in the community, I learned that this is also normal, after all, everyone is scrambling for these funds. Although there will be some gas loss in case of transaction failure, this loss is not severe compared to retrieving the funds.

So I continued to try and gradually discovered that in about every 2-3 withdrawal requests, one can successfully initiate a transaction by avoiding the error prompt. After that, there is probably one successful confirmation in every 2-3 transactions (there will also be a situation where n consecutive transactions fail, but this is only the overall probability), thus completing the withdrawal of sporadic funds.

As for the amount that can be obtained from each successful withdrawal, in most cases it is only 1-3 US dollars.

However, if you happen to encounter a “living Buddha” who makes a large repayment, there is also an opportunity to “pull” a big amount. In my case, the highest amount I have ever “pulled” at once was 301 USDC, which greatly accelerated my overall progress.

This completely random result feedback gave me a unique sense of excitement, and of course I am not the only one who thinks so. Someone joked in the community saying, “Even think it’s fun, pulling a big one can be enjoyable for half an hour.”

More users are joking and cheering each other up, saying, “This is much better than delivering takeout.”

In conclusion, as more and more people continue to “pull” back their funds, it seems that there is not much suppressed sentiment in the community due to the hacker incident.

Finally, at around 5 o’clock in the afternoon, I completed the last transaction of about 6 US dollars and successfully retrieved the 1000 USDC that I thought I would never get back. The whole process took about 3 hours.

Overall, I probably made less than a hundred transactions (including failed ones). Considering that EraLend will refund some gas for successful withdrawal transactions, the gas consumption for each transaction is about 0.4 US dollars, so the total consumption is about 40 US dollars. It’s worth it, this account is completely cost-effective!

As of the time of writing, many users are still “digging” and trying to retrieve their funds from EraLend. However, it can be foreseen that as more users participate and the debt scale continues to shrink (i.e. the total amount of funds that can be withdrawn from the USDC pool decreases), the later it gets, the lower the possibility of retrieving the funds.

It is difficult to judge whether this is right or wrong. From the perspective of protocol operation, some victims are transferring the bad debt risk caused by the hacker incident to the protocol itself and other users who have not yet escaped by “digging the pool” in advance. However, in the current situation of EraLend, with the continuous shrinkage of TVL (mainly due to users withdrawing funds from the other two pools), the protocol may even face the potential of insolvency. In this difficult situation, the victims have an opportunity to recover their losses and naturally will not miss it.

Anyway, I’m running away first as a gesture of respect.