Original | Odaily Planet Daily ( @OdailyChina )
Author | Dingdang ( @XiaMiPP )
On June 26, the wstUSR market under the decentralized stablecoin protocol Resupply was reported to have been hacked, and approximately US$9.5 million in assets were transferred.
In the crypto world, such incidents are not uncommon. The amount of money stolen from Resupply is not even outstanding, but it has caused controversy in the community. In particular, the project team did not recover the hacker funds, hold them accountable, report them to the police, or offer a reward. Instead, they used community assets to fill the hole. As a result, the communitys anger intensified. OneKey founder Yishi , SlowMist founder Yu Xian and other crypto people stood up to call out to the project team, and even this governance public opinion has escalated to racial discrimination.
Odaily Planet Daily will start from the whole incident, sort out the root causes of the conflict, and clarify the positions of all parties.
1. Attack process: borrowing millions of dollars from 1 wei mortgage
Resupply is a decentralized stablecoin protocol built around crvUSD, and its underlying structure is highly dependent on the trading pool structure, interest rate model and asset peg logic of the Curve ecosystem. By attracting liquidity through trading pairs such as crvUSD-wstUSR, the project has accumulated tens of millions of dollars in locked positions in a short period of time.
From code usage, governance logic, to treasury access methods, Resupply looks like an independent high-rise, but it is actually deeply rooted between the two major DeFi infrastructures of Curve and Convex. It is generally believed that there is a development resource collaboration between it and Convex, and there are even rumors that it was secretly hatched by the core development team.
This relationship became the starting point of controversy after the incident.
On June 26, security company BlockSec first discovered abnormal fund flows in Resupply and initially estimated the loss to be $9.5 million.
The attack path was then disassembled: the attacker took advantage of a structural design error in Resupplys deployment of the wstUSR vault. Specifically, by injecting carefully constructed parameters into the Controller contract, the exchangeRate was instantly zero, the collateral detection failed, and all liquidation and risk control mechanisms were bypassed.
With only 1 wei as collateral, the attacker borrowed a large amount of reUSD, converted the assets into ETH after the laundering, and mixed the coins through Tornado Cash. Afterwards, the loss of assets was worth about 9.5 million US dollars. Yu Xian, the founder of SlowMist, said that this was an interest rate inflation loophole.
Resupply released a hacker attack analysis report on June 28, which pointed out that the attack on Resupplys crvUSD-wstUSR trading pair caused about $10 million in reUSD bad debt, but the vulnerability only existed in a specific token trading pair. Other token trading pairs were not affected, and the Resupply market operated as usual. At present, the debt limit of the affected token pairs has been set to 0 and insurance pool withdrawals have been suspended. A formal governance vote is required to lift the suspension. The problematic code segment has undergone multiple security audits, and independent researchers have been hired to review the code base, but the problem has not been reported. At this stage, the stolen funds are still on the chain, and the relevant situation is being monitored and necessary measures will be taken.
The vulnerability itself is not complicated, but it breaks through the core security boundary of the protocol. But the real controversy starts with the projects remedial measures.
2. Remediation by the project party: Governance proposal becomes “cutting leeks”?
On June 29, the official team of the Resupply protocol initiated a remedial measures proposal in the community, declaring that it would quickly repair the operation of the protocol through community consensus.
The specific contents of the proposal are as follows:
Phase 1: Take immediate governance action
Insurance Pool (IP) token destruction: At the time of writing the proposal, the total outstanding bad debt is 7,131,168 reUSD after the Resupply Protocol Treasury, Convex Treasury, and C2tP have paid out 2,868,832 reUSD.
The proposal specifically provides that:
6,000,000 ReUSD of bad debts will be burned through the insurance pool, accounting for 15.5% of the 38.7 million reUSD in the insurance pool.
The agreement will address ongoing bad debts to reduce the amount owed by the insurance pool. Overall, this is $4 million less than the amount of bad debt originally owed by the insurance pool.
The remaining bad debt ($1,131,168) will be repaid through a mix of future revenue sources such as, but not limited to, agreement fees and/or a potential RSUP off-market sales program to be determined at a later date by the Finance or Governance Department.
IP Withdrawal Period:
The authorities are making every effort to shorten the mandatory lock-up period of user funds in the insurance pool. To this end, the voting time for voters who update Resupply will be shortened to 3 days.
By utilizing a shorter voting window, the DAO can make a quick on-chain decision on the proposal for the benefit of depositors and reach a final resolution within the initial 7-day IP cooldown period.
The DAO may choose to extend the regular voting period to 7 days after the close of this proposal, or explore other options such as different voting times for standard and emergency votes.
Phase 2: Insurance Pool Retention Plan
Overview: The IP Retention Program applies to users who are depositors in the insurance pool at the time of this proposal and who are slashed in Phase 1 above. It is not intended to offset slashing, although it may or may not do so; rather, it is intended to incentivize remaining in the insurance pool after slashing through additional liquid RSUP tokens. Opt-in is the default, but users can opt-out at any time if they decide not to participate.
Opting out will distribute the additional inflow of RSUP shares to the remaining shares. This proposal requires the deployment of contracts, which will be issued at a later date once the contracts have been reviewed and deployed.
Project Revenue Source: A dedicated RSUP release receiver will be created for the retention program.
If passed, the proposal commits the DAO to distribute a total of 2.5 million to recipients over 52 weeks.
The core of the above proposal can be interpreted as:
6 million reUSD in the insurance pool were burned to hedge against bad debts
The remaining $1.13 million of bad debt will be repaid from future contract revenues
Issue streaming RSUP rewards to users who stay in the insurance pool to stabilize confidence
Suspend withdrawal channels, shorten voting cycles, and speed up governance
The proposal is ostensibly a quick “community collaboration”, but the community generally views it as an “unnegotiated user payment mechanism”.
The insurance pool was originally intended to deal with market fluctuations, not project deployment vulnerabilities; and the proposal did not mention the recovery of hacker funds, accountability, reporting to the police, and reward. The projects first reaction was to use community assets to fill the hole, rather than to find out the responsibility for the vulnerability.
Governance has become a tool for “shifting responsibility”.
3. Community anger: victims or scapegoats?
After the attack, the Discord group of Resupply exploded. Afterwards, when some large LPs asked “why the insurance pool should pay for the technical errors”, they were even kicked out or banned by the administrator.
User dissatisfaction is concentrated in three aspects:
Institutional level : The agreement document does not clearly state that the insurance pool needs to cover development errors, but the project party unilaterally adjusted the use afterwards.
Governance : Governance proposals are pushed forward in a hurry, and users are not given enough space for participation and discussion.
Emotional level : After the attack, the project team did not show empathy and responsibility, but instead controlled risks, public opinion, and emotions.
For example, on June 27, OneKey founder Yishi spoke publicly for the first time, demanding that Curve provide a fair solution to every investor and return user funds lost due to serious technical errors by the project party.
He revealed that he was one of the three largest investors in Resupply and lost millions of dollars. He believed that the attack was caused by a structural error in which the initial shares were not destroyed when the ERC 4626 vault was deployed, and the attacker could mint unlimited shares at almost zero cost to drain the vault.
He also pointed out that the project not only tried to pass on the losses to the insurance pool users, but also banned reasonable questioners in the Discord group. He said that Curve, Convex, and Yearn had all supported Resupply in terms of technology, governance, or resources, and should not lightly disassociate afterwards.
Community member @2233 3D posted a video accusing the Resupply team of various dereliction of duty, mainly including adopting an appeasement policy after a hacking incident caused by a low-level error in the contract, not suspending, not reporting, not offering a reward, kicking people and covering their mouths in Discord, and claiming that the losses should be borne by users of the insurance pool that was used to protect against market volatility risks.
Yu Xian, the founder of SlowMist, added: The project owner is the first in history who has not made any statement or expressed his position on the bounty. If I were the attacker, I would also be confused. Why hasnt the project owner expressed his position? Am I a black hat hacker or a white hat hacker?
Even this governance has escalated to racial discrimination. On June 28, OneKey founder Yishi posted a message saying that he encountered the obvious racial discrimination word chixx choxx when communicating with project members, which aroused great public anger. The word is widely regarded as an insulting expression to the Chinese community. Many people in the industry immediately launched a Slash action to support Yishi, emphasizing that racial discrimination is unforgivable in any context.
Curve founder Michael wants to sue: Not a bystander, but a victim?
Yishi said in a tweet on June 28 that Michael said he would sue him, accusing him of defaming Curves reputation, and expressed dissatisfaction with this, saying that honest people deserve to be bullied.
Michaels supporter @HaowiWang responded publicly that this is no longer a debate about who is right and who is wrong, but an attack on the systemic trust of the Curve brand. He listed Yishis five major crimes:
1. Malicious defamation and fabrication of facts: Yishi repeatedly attributed the Resupply incident to Curve in social networks and on Twitter, implying that it had actual control responsibility and misleading the public;
2. Damage to reputation: As a public figure, Yishi directly or indirectly named Curve, causing the project to suffer a crisis of trust in the Chinese community;
3. Organized manipulation of KOCs to spread false information: They can mobilize a large number of KOCs/KOLs in the OneKey ecosystem to guide public opinion and construct a narrative of Curve accomplices;
4. The intention of exerting pressure to cover the losses is obvious: through the slogans of Curve is the biggest beneficiary and no response is acquiescence, moral pressure is created in an attempt to make Curve cover the losses;
5. The chain of evidence is complete: tweets, screenshots, group chat records, forwarding network chains, etc., constitute the minimum threshold required for prosecution.
On the 29th, OneKey officially issued a statement to clarify that it has never instigated, organized or manipulated any KOL or user in any form to launch a public opinion attack on Curve or any project. OneKey will pursue legal responsibility for the malicious accusations and false statements spread by some individuals on the current social platform and will not tolerate them. In addition, the founder, Mr. Yishi, participated in the investment entirely in his personal capacity, which was his personal behavior. No official resources of OneKey were involved in the project. At the same time, all OneKey products are open source designs, without backdoors, and have been fully audited by professional security teams such as SlowMist.
On the 30th, OneKey founder Yishi posted a screenshot of being blocked by Curve Finance and captioned “Graduated”.
Conclusion: After the crisis, what remains is not an agreement, but cracks
The Resupply incident started as a hacker attack and eventually evolved into a comprehensive crisis surrounding governance responsibilities, community communication, racial discrimination and brand ethics.
This is not the first time DeFi has been attacked, nor will it be the last. But it may be the first time that the community has been pushed into the position of loss bearer without a response from the hacker or an apology from the project.
In the DeFi world, the basis of trust is not in the white paper or the audit report, but in the project partys first response after the incident. Governance proposals may be able to repair the protocol, but they cannot repair the torn community. The protocol is still running, but trust is gone and will never come back.
